EC2 instance accepts IMDSv1 Affecting EC2 service in AWS

Severity Framework Snyk CCSS

Rule category Network / Best Practices

Is your enviroment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Frameworks

CIS-AWS CIS-Controls CSA-CCM

Snyk ID SNYK-CC-00277
credit Snyk Research Team

Report a new misconfiguration Found a mistake?

Description

If Instance Metadata Service v2 is not enforced, the metadata service may be vulnerable to reverse proxy/open firewall misconfigurations and server-side request forgery attacks.

How to fix?

Set aws_instance metadata_options block with the http_tokens attribute to required and http_endpoint attribute to enabled.

Example Configuration

resource "aws_instance" "allowed" {
  ami           = "ami-005e54dee72ccabcd"
  instance_type = "t3.micro"

  metadata_options {
    http_endpoint = "enabled"
    http_tokens   = "required"
  }
}

Terraform

Resource: aws_instance

EC2 instance accepts IMDSv1 Affecting EC2 service in AWS

Description

How to fix?

Example Configuration

Terraform

References