Logging and monitoring

Enhanced instance metadata service (version 2) is not enforced

Risk Level

Informational (4)

Platform(s)

Description

The use of IMDSv2, the enhanced version of the Instance Metadata Service, is not enforced on all EC2 instances. IMDSv2 solves a lot of security issues in the original version (IMDSv1) by using session-based authentication. If an instance is still using IMDSv1, malicious actors can use compromised applications running inside it to gain unauthorized access to the metadata service.
  • Recommended Mitigation

    Enhance the security of the metadata service by enforcing the use of IMDSv2 on all EC2 instances. For more details please see <a href="https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html" target="_blank" rel="noopener noreferrer">https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html</a>