🛡️ AWS EC2 Launch Template Latest Version is not configured to require IMDSv2🟢
- Contextual name: 🛡️ EC2 Launch Template Latest Version is not configured to require IMDSv2🟢
- ID:
/ce/ca/aws/ec2/launch-template-imdsv2 - Tags:
- Policy Type:
COMPLIANCE_POLICY - Policy Categories:
SECURITY
Logic
Similar Policies
- AWS Security Hub: [EC2.170] EC2 launch templates should use Instance Metadata Service Version 2 (IMDSv2)
Description
Description
This policy checks whether the latest version of an AWS EC2 Launch Template is configured to require Instance Metadata Service Version 2 (IMDSv2).
Rationale
IMDSv2 uses session-oriented authentication for instance metadata requests and helps reduce the risk of credential exposure through Server-Side Request Forgery (SSRF) and similar metadata-access attacks.
Launch templates evolve through versioning. If the latest version does not require IMDSv2, newly published template revisions can introduce or preserve weaker metadata access settings. Reviewing the latest version helps ensure the most recent launch template configuration maintains a secure metadata baseline.
Impact
If the metadata options are left unspecified in the latest launch template version, the effective behavior can depend on inherited defaults rather than an explicit IMDSv2 requirement.
Audit
This policy flags an AWS EC2 Launch Template as
INCOMPLIANTwhen itsLatest Versionhas:
Metadata HTTP Endpointset to disabled, or... see more
Remediation
Remediation
Require IMDSv2 for the Latest Launch Template Version
Launch Templates are immutable. To enforce IMDSv2, publish a new template version with the required metadata options.
From Command Line
Create a new launch template version from the current latest version:
aws ec2 create-launch-template-version \
--launch-template-id {{launch-template-id}} \
--source-version {{current-latest-version-number}} \
--version-description "Require IMDSv2" \
--launch-template-data '{"MetadataOptions":{"HttpEndpoint":"enabled","HttpTokens":"required"}}'This command creates a new latest version of the launch template.
Replace
{{current-latest-version-number}}with the current latest launch template version.If the launch template is managed through infrastructure as code, update the source configuration so future deployments continue to require IMDSv2.
policy.yaml
Linked Framework Sections
| Section | Sub Sections | Internal Rules | Policies | Flags | Compliance |
|---|---|---|---|---|---|
| 💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [EC2.170] EC2 launch templates should use Instance Metadata Service Version 2 (IMDSv2) | 1 | no data | |||
| 💼 Cloudaware Framework → 💼 Secure Access | 56 | no data | |||
| 💼 PCI DSS v3.2.1 → 💼 2.2.4 Configure system security parameters to prevent misuse. | 17 | no data | |||
| 💼 PCI DSS v4.0.1 → 💼 2.2.6 System security parameters are configured to prevent misuse. | 17 | no data | |||
| 💼 PCI DSS v4.0 → 💼 2.2.6 System security parameters are configured to prevent misuse. | 12 | 17 | no data |