Home > Foundational > Instance Metadata Service (IMDS) v2

Instance Metadata Service (IMDS) v2

Context

The Amazon Elastic Compute Cloud (Amazon EC2) Instance Metadata Service (IMDS) helps customers build secure and scalable applications. IMDS solves a security challenge for cloud users by providing access to temporary and frequently-rotated credentials, and by removing the need to hardcode or distribute sensitive credentials to instances manually or programmatically. The Instance Metadata Service Version 2 (IMDSv2) adds protections to prevent unauthorized use of those credentials outside the instance

Recommendations

While AWS is making the Instance Metadata Service Version 2 (IMDSv2) default, instances previous to mid-2024 may have IMDSv1 make sure in your account new Amazon EC2 instance launches are using v2 (Blogpost ) and beware that older instances may have been created with v1 which is less secure than v2.
Use AWS Security Hub [EC2.8] EC2 instances should use Instance Metadata Service Version 2 (IMDSv2) or AWS Config’s ec2-imdsv2-check to check that you’re only using IMDS v2
Configure IMDS v2 on your instances that are using v1.

Risk Mitigation

[Credential Access] Applications vulnerable to SSRF attacks may be used on instances using IMDSv1 to extract the instance credentials to be used from outside the instance

Guidance for assessments

Are you using IMDS v2 ?
Have you verified IMDS v2 is set up as default for all new EC2 Instance launches ?
Do you use AWS Security Hub or AWS Config to check that you’re using IMDS v2 ?

More detail in the following blogposts:

Get the full benefits of IMDSv2 and disable IMDSv1 across your AWS infrastructure

Pricing

IMDS v2 has no additional cost.