Skip to main content

The Instance Metadata Service should not be available through IMDSv1

  • GG_ID: GG_IAC_0035
  • Severity: HIGH
  • Complexity: LOW
  • Categories: DATA, PERMISSION
  • Providers: AWS
  • Potential data exposure: True
  • Visible in logs: False
  • User interaction required: False
  • Privileges required: False


Amazon EC2 Instance Metadata Service is an on-instance component that EC2 instances use to access instance metadata.

There are two versions of the protocol that allow to access IMDS: IMDSv1 and IMDSv2. IMDSv1 should be disabled, as it has not been hardened against accidental exposure on the public internet. IMDSv2 introduced session based authentication. An app can start a session by sending an HTTP PUT request to IMDSv2. This protects against exploitation using SSRF/XXE vulnerabilities present inside the EC2 instance.


An attacker could access Instance Metadata to breach applications in EC2 instances.

Remediation guidelines#

There are two possibilities for remediation:

  1. Disable IMDS entirely if it's not needed.
  2. Transition from IMDSv1 to IMDSv2 by setting the http_tokens variable to "required" in the metadata_options block in the IaC configuration.

External documentation#