Enhanced instance metadata service (IMDSv2) is not enforced

Logging and monitoring

Enhanced instance metadata service (IMDSv2) is not enforced

Risk Level

Informational (4)

Platform(s)

Compliance Frameworks

AWS Foundational Security Best Practices Controls
HITRUST
NIST 800-53
Orca Best Practices

Description

The use of IMDSv2, the enhanced version of the Instance Metadata Service, is not enforced on the EC2 instance {AwsEc2Instance} ({AwsEc2Instance.InstanceId}). IMDSv2 solves a lot of security issues in the original version (IMDSv1) by using session-based authentication. If an instance is still using IMDSv1, malicious actors can use compromised applications running inside it to gain unauthorized access to the metadata service.

Recommended Mitigation

Enhance the security of the metadata service by enforcing the use of IMDSv2 on all EC2 instances. For more details please see https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html

Enhanced instance metadata service (IMDSv2) is not enforced

Description

Need help?