💼 [EC2.8] EC2 instances should use Instance Metadata Service Version 2 (IMDSv2)

• ID: /frameworks/aws-fsbp-v1.0.0/ec2/08

Description

You use instance metadata to configure or manage the running instance. The IMDS provides access to temporary, frequently rotated credentials. These credentials remove the need to hard code or distribute sensitive credentials to instances manually or programmatically. The IMDS is attached locally to every EC2 instance. It runs on a special "link local" IP address of 169.254.169.254. This IP address is only accessible by software that runs on the instance.

Version 2 of the IMDS adds new protections for the following types of vulnerabilities. These vulnerabilities could be used to try to access the IMDS.

• Open website application firewalls
• Open reverse proxies
• Server-side request forgery (SSRF) vulnerabilities
• Open Layer 3 firewalls and network address translation (NAT)

Similar

• AWS Security Hub
  • https://docs.aws.amazon.com/securityhub/latest/userguide/ec2-controls.html#ec2-8
• Internal
  • ID: dec-c-0d3be396

Similar Sections (Give Policies To)

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 NIST SP 800-53 Revision 5 → 💼 AC-3 Access Enforcement	15	5	37		no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-3(7) Access Enforcement _ Role-based Access Control			14		no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-3(15) Access Enforcement _ Discretionary and Mandatory Access Control			11		no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-6 Least Privilege	10	23	49		no data
💼 PCI DSS v4.0.1 → 💼 2.2.6 System security parameters are configured to prevent misuse.			16		no data

Sub Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance

Policies (1)

Policy	Logic Count	Flags	Compliance
🛡️ AWS EC2 Instance IMDSv2 is not enabled🟢	1	🟢 x6	no data

Internal Rules

Rule	Policies	Flags
✉️ dec-x-b42fae78	1