EC2 instance accepts IMDSv1 Affecting EC2 service in AWS


Severity

0.0
medium
0
10
    Severity Framework
    Snyk CCSS
    Rule category
    Network / Best Practices

Is your enviroment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
    Frameworks
    CIS-AWS CIS-Controls CSA-CCM
  • Snyk ID SNYK-CC-00277
  • credit Snyk Research Team

Description

If Instance Metadata Service v2 is not enforced, the metadata service may be vulnerable to reverse proxy/open firewall misconfigurations and server-side request forgery attacks.

How to fix?

Set aws_instance metadata_options block with the http_tokens attribute to required and http_endpoint attribute to enabled.

Example Configuration

resource "aws_instance" "allowed" {
  ami           = "ami-005e54dee72ccabcd"
  instance_type = "t3.micro"

  metadata_options {
    http_endpoint = "enabled"
    http_tokens   = "required"
  }
}