The Instance Metadata Service should not be available through IMDSv1
- GG_ID: GG_IAC_0035
- Severity: HIGH
- Complexity: LOW
- Categories: DATA, PERMISSION
- Providers: AWS
- Potential data exposure: True
- Visible in logs: False
- User interaction required: False
- Privileges required: False
Amazon EC2 Instance Metadata Service is an on-instance component that EC2 instances use to access instance metadata.
There are two versions of the protocol that allow to access IMDS: IMDSv1 and IMDSv2. IMDSv1 should be disabled, as it has not been hardened against accidental exposure on the public internet. IMDSv2 introduced session based authentication. An app can start a session by sending an HTTP PUT request to IMDSv2. This protects against exploitation using SSRF/XXE vulnerabilities present inside the EC2 instance.
An attacker could access Instance Metadata to breach applications in EC2 instances.
There are two possibilities for remediation:
- Disable IMDS entirely if it's not needed.
- Transition from IMDSv1 to IMDSv2 by setting the
http_tokensvariable to "required" in the
metadata_optionsblock in the IaC configuration.