Instance Metadata Service (IMDS) v2

Context

The Amazon Elastic Compute Cloud (Amazon EC2) Instance Metadata Service (IMDS) helps customers build secure and scalable applications. IMDS solves a security challenge for cloud users by providing access to temporary and frequently-rotated credentials, and by removing the need to hardcode or distribute sensitive credentials to instances manually or programmatically. The Instance Metadata Service Version 2 (IMDSv2) adds protections to prevent unauthorized use of those credentials outside the instance

Recommendations

  1. Set all new Amazon EC2 instance launches in your account to use Instance Metadata Service Version 2 (IMDSv2) by default. ( Blogpost )
  2. Use AWS Security Hub [EC2.8] EC2 instances should use Instance Metadata Service Version 2 (IMDSv2) or AWS Config’s ec2-imdsv2-check to check that you’re using IMDS v2
  3. Configure IMDS v2 on your instances that are using v1.

Risk Mitigation

  • [Credential Access] Applications vulnerable to SSRF attacks may be used on instances using IMDSv1 to extract the instance credentials to be used from outside the instance

Guidance for assessments

  • Are you using IMDS v2 ?
  • Have you configured IMDS v2 for all new EC2 Instance launches ?
  • Do you use AWS Security Hub or AWS Config to check that you’re using IMDS v2 ?

More detail in the following blogposts:

Pricing

IMDS v2 has no additional cost.