Skip to main content

πŸ“ AWS EC2 Instance IMDSv2 is not enabled 🟒

  • Contextual name: πŸ“ Instance IMDSv2 is not enabled 🟒
  • ID: /ce/ca/aws/ec2/instance-imdsv2
  • Located in: πŸ“ AWS EC2

Flags​

Our Metadata​

  • Policy Type: COMPLIANCE_POLICY
  • Policy Category:
    • SECURITY

Similar Policies​

Similar Internal Rules​

RulePoliciesFlags
βœ‰οΈ dec-x-b42fae781

Logic​

Description​

Open File

Description​

When enabling the Metadata Service on AWS EC2 instances, users have the option of using either Instance Metadata Service Version 1 (IMDSv1; a request/response method) or Instance Metadata Service Version 2 (IMDSv2; a session-oriented method).

Rationale​

Instance metadata is data about your instance that you can use to configure or manage the running instance. Instance metadata is divided into categories, for example, host name, events, and security groups.

When enabling the Metadata Service on AWS EC2 instances, users have the option of using either Instance Metadata Service Version 1 (IMDSv1; a request/response method) or Instance Metadata Service Version 2 (IMDSv2; a session-oriented method). With IMDSv2, every request is now protected by session authentication. A session begins and ends a series of requests that software running on an EC2 instance uses to access the locally-stored EC2 instance metadata and credentials.

... see more

Remediation​

Open File

Remediation​

From Console​

  1. Sign in to the AWS Management Console and navigate to the EC2 dashboard at https://console.aws.amazon.com/ec2/.
  2. In the left navigation panel, under the INSTANCES section, choose Instances.
  3. Select the EC2 instance that you want to examine.
  4. Choose Actions > Instance Settings > Modify instance metadata options.
  5. Ensure Instance metadata service is set to Enable and set IMDSv2 to Required.
  6. Repeat steps no. 1 – 5 to perform the remediation process for other EC2 Instances in the all applicable AWS region(s).

From Command Line​

  1. Run the describe-instances command using appropriate filtering to list the IDs of all the existing EC2 instances currently available in the selected region:
aws ec2 describe-instances --region <region-name> --output table --query "Reservations[*].Instances[*].InstanceId"
  1. The command output should return a table with the requested instance IDs.
  2. Now run the modify-instance-metadata-options command using an instance ID returned at the previous step to update the Instance Metadata Version:

... see more

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 36b configuration management β€”the configuration of information assets minimises vulnerabilities and is defined, assessed, registered, maintained, including when new vulnerabilities and threats are discovered, and applied consistently;11
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [EC2.8] EC2 instances should use Instance Metadata Service Version 2 (IMDSv2)11
πŸ’Ό CIS AWS v2.0.0 β†’ πŸ’Ό 5.6 Ensure that EC2 Metadata Service only allows IMDSv2 - Level 1 (Automated)11
πŸ’Ό CIS AWS v3.0.0 β†’ πŸ’Ό 5.6 Ensure that EC2 Metadata Service only allows IMDSv2 - Level 1 (Automated)11
πŸ’Ό CIS AWS v4.0.0 β†’ πŸ’Ό 5.7 Ensure that the EC2 Metadata Service only allows IMDSv2 (Automated)1
πŸ’Ό CIS AWS v4.0.1 β†’ πŸ’Ό 5.7 Ensure that the EC2 Metadata Service only allows IMDSv2 (Automated)1
πŸ’Ό CIS AWS v5.0.0 β†’ πŸ’Ό 5.7 Ensure that the EC2 Metadata Service only allows IMDSv2 (Automated)1
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Secure Access43
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-3 Access Enforcement (L)(M)(H)3747
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-6 Least Privilege (M)(H)81133
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό AC-3 Access Enforcement (L)(M)(H)47
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-3 Access Enforcement (L)(M)(H)47
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-6 Least Privilege (M)(H)633
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.AA-05: Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties58
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected67
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.IR-01: Networks and environments are protected from unauthorized logical access and usage40
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-3 Access Enforcement15417
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-3(7) Access Enforcement _ Role-based Access Control7
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-3(15) Access Enforcement _ Discretionary and Mandatory Access Control10
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-6 Least Privilege102126
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SI-7(12) Software, Firmware, and Information Integrity _ Integrity Verification1820
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 2.2.4 Configure system security parameters to prevent misuse.1
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 2.2.6 System security parameters are configured to prevent misuse.1
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 2.2.6 System security parameters are configured to prevent misuse.1