AWS-EC2-Insecure-EC2-Metadata-Options

Severity : Critical

Description: This control ensures that EC2 instances doesn’t allow IMDSv1 access to metadata. The IMDSv1 allows request/response based access while newer IMDSv2 only allows session-oriented access to metatdata. The instance metadata service distinguishes between IMDSv1 and IMDSv2 requests based on whether, for any given request, either the PUT or GET headers, which are unique to IMDSv2, are present in that request. The instance metadata service can configure on each instance such that local code or users must use IMDSv2. IMDSv2’s combination of beginning a session with a PUT request, and then requiring the secret session token in other requests, is always strictly more effective than requiring only a static header. This combination protects against the vast majority of SSRF vulnerabilities.

Remediation Steps:

Perform following to configure instance metadata option for new instances :

  1. Login to the AWS Management Console at https://console.aws.amazon.com.

  2. Navigate to EC2 console.

  3. When launching new instances in AWS EC2 console, In Configure Instance Details page

    1. Under Advanced Details, for Metadata accessible, select Enabled.

    2. For Metadata version, select V2 (token required).

Perform following to configure instance metadata option for existing instances :

  1. For existing instances, only AWS CLI or SDK allows the operation to change the configuration. To perform the operation from the AWS CLI , run the following command

    1. Require use of IMDSv2

      • aws ec2 modify-instance-metadata-options \ --instance-id <id of instance> \ --http-tokens required \ --http-endpoint enabled

    2. Change Hop limit

      • aws ec2 modify-instance-metadata-options \ --instance-id <id of instance> \ --http-put-response-hop-limit 3 \ --http-endpoint enabled

Important:

  • PowerShell version 4.0 is required to configure IMDSv2,  update to Windows Management Framework 4.0 to require the use of IMDSv2.

  • When enforce the use of IMDSv2, applications or agents that use IMDSv1 for instance metadata access will break.

  • For IMDSv2, you must use /latest/api/ token when retrieving the token.

Reference :

Blue Hexagon Proprietary