The Instance Metadata Service should not be available through IMDSv1

• GG_ID: GG_IAC_0035
• Severity: HIGH
• Complexity: LOW
• Categories: DATA, PERMISSION
• Providers: AWS
• Potential data exposure: True
• Visible in logs: False
• User interaction required: False
• Privileges required: False

Description

Amazon EC2 Instance Metadata Service is an on-instance component that EC2 instances use to access instance metadata.

There are two versions of the protocol that allow to access IMDS: IMDSv1 and IMDSv2. IMDSv1 should be disabled, as it has not been hardened against accidental exposure on the public internet. IMDSv2 introduced session based authentication. An app can start a session by sending an HTTP PUT request to IMDSv2. This protects against exploitation using SSRF/XXE vulnerabilities present inside the EC2 instance.

Impact

An attacker could access Instance Metadata to breach applications in EC2 instances.

Remediation guidelines

There are two possibilities for remediation:

1. Disable IMDS entirely if it's not needed.
2. Transition from IMDSv1 to IMDSv2 by setting the http_tokens variable to "required" in the metadata_options block in the IaC configuration.

External documentation

• Add defense to EC2 IMDS
• Transition to using Instance Metadata Service Version 2