Logging and monitoring

Enhanced instance metadata service (IMDSv2) is not enforced


The use of IMDSv2, the enhanced version of the Instance Metadata Service, is not enforced on the EC2 instance {AwsEc2Instance} ({AwsEc2Instance.InstanceId}). IMDSv2 solves a lot of security issues in the original version (IMDSv1) by using session-based authentication. If an instance is still using IMDSv1, malicious actors can use compromised applications running inside it to gain unauthorized access to the metadata service.
  • Recommended Mitigation

    Enhance the security of the metadata service by enforcing the use of IMDSv2 on all EC2 instances. For more details please see <a href="https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html" target="_blank" rel="noopener noreferrer">https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html</a>