🛡️ Oracle IAAS Instance legacy IMDS endpoints are enabled🟢

Contextual name: 🛡️ Oracle IAAS Instance legacy IMDS endpoints are enabled🟢
ID: /ce/ca/oracle/compute/disable-instance-legacy-metadata-endpoint
Tags:
- 🟢 Policy with categories
- 🟢 Policy with type
- 🟢 Production policy
Policy Type: COMPLIANCE_POLICY
Policy Categories: SECURITY

Logic

🧠 prod.logic.yaml🟢
- 📗 Oracle IAAS Instance
- 🔌 Oracle IAAS Instance - object.extracts.yaml
- 🧪 test-data.json

Description

Description

This policy identifies Oracle IAAS Instances where legacy Instance Metadata Service (IMDS) endpoints are enabled.

Rationale

The instance metadata service provides runtime information that applications and agents can use from inside a compute instance. Legacy metadata endpoints support older IMDS behavior and can increase the risk of metadata or credential exposure if a workload is affected by Server-Side Request Forgery (SSRF), open proxy behavior, or similar request-forwarding flaws.

Disabling legacy IMDS endpoints helps enforce the newer metadata service behavior and reduces the attack surface for instance metadata access.

Audit

This policy flags an Oracle IAAS Instance as INCOMPLIANT when the Instance Options: Legacy IMDS Endpoints field is set to Enabled.

Instances where Instance Options: Legacy IMDS Endpoints is set to Disabled are marked as COMPLIANT.

Instances where the field is empty or contains an unexpected value are marked as UNDETERMINED.

Remediation

Open File

Remediation

Disable Legacy IMDS Endpoints

Update each affected OCI compute instance so areLegacyImdsEndpointsDisabled is set to true. If the instance is managed through Terraform, Resource Manager, or another infrastructure-as-code workflow, update the source configuration before applying the change so future deployments keep legacy IMDS endpoints disabled.

From OCI CLI

Update the affected instance:
oci compute instance update \
    --instance-id {{instance-id}} \
    --instance-options '{"areLegacyImdsEndpointsDisabled": true}'
Repeat the update for each incompliant instance and verify that legacy IMDS endpoints are disabled after the change is applied.

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 CIS Oracle v3.1.0 → 💼 3.1 Ensure Compute Instance Legacy Metadata service endpoint is disabled - Level 2 (Automated)			1		no data
💼 Cloudaware Framework → 💼 Secure Access			57		no data

Logic​

Description​

Description​

Rationale​

Audit​

Remediation​

Remediation​

Disable Legacy IMDS Endpoints​

From OCI CLI​

policy.yaml​

Linked Framework Sections​

Logic

Description

Description

Rationale

Audit

Remediation

Remediation

Disable Legacy IMDS Endpoints

From OCI CLI

policy.yaml

Linked Framework Sections