Instance Metadata Service (IMDS) v2
Context
The Amazon Elastic Compute Cloud (Amazon EC2) Instance Metadata Service (IMDS) helps customers build secure and scalable applications. IMDS solves a security challenge for cloud users by providing access to temporary and frequently-rotated credentials, and by removing the need to hardcode or distribute sensitive credentials to instances manually or programmatically. The Instance Metadata Service Version 2 (IMDSv2) adds protections to prevent unauthorized use of those credentials outside the instance
Recommendations
- Set all new Amazon EC2 instance launches in your account to use Instance Metadata Service Version 2 (IMDSv2) by default. ( Blogpost
)
- Use AWS Security Hub [EC2.8] EC2 instances should use Instance Metadata Service Version 2 (IMDSv2)
or AWS Config’s ec2-imdsv2-check
to check that you’re using IMDS v2
- Configure IMDS v2 on your instances that are using v1.
Risk Mitigation
- [Credential Access]
Applications vulnerable to SSRF attacks may be used on instances using IMDSv1 to extract the instance credentials to be used from outside the instance
Guidance for assessments
- Are you using IMDS v2 ?
- Have you configured IMDS v2 for all new EC2 Instance launches ?
- Do you use AWS Security Hub or AWS Config to check that you’re using IMDS v2 ?
More detail in the following blogposts:
Pricing
IMDS v2 has no additional cost.