Instance Metadata Service version 1 is enabled
Description
The Instance Metadata Service (IMDS) is an on-instance component used by code on the instance to securely access instance metadata. You can access instance metadata from a running instance using one of the following methods:
- Instance Metadata Service Version 1 (IMDSv1) – a request/response method
- Instance Metadata Service Version 2 (IMDSv2) – a session-oriented method
As a request/response method IMDSv1 is prone to local misconfigurations:
- Open proxies, open NATs and routers, server-side reflection vulnerabilities.
- One way or another, local software might access local-only data.
Fix - Buildtime
Terraform
- Resource: aws_instance
- Arguments: http_tokens - (Optional) Whether or not the metadata service requires session tokens, the mechanism used for Instance Metadata Service Version 2. Can be "optional" or "required". (Default: "optional"). Set to "required" to enable Instance Metadata Service V2.
Alternatively, disable the metadata service altogether by setting http_endpoint = "disabled"
.
resource "aws_instance" "example" {
...
instance_type = "t2.micro"
+ metadata_options {
...
+ http_endpoint = "enabled"
+ http_tokens = "required"
+ }
...
}
If setting http_tokens = "required"
in a launch template that is being used for a EKS worker/node group, you should consider setting the http_put_response_hop_limit = 2
per the default behavior in EKS.
Without this setting the default service account in EKS will not be able to access the instance metadata service.
CloudFormation
- Resource: AWS::EC2::LaunchTemplate
- Arguments: Properties.MetadataOptions.HttpEndpoint / Properties.MetadataOptions.HttpTokens
Resources:
IMDSv1Disabled:
Type: AWS::EC2::LaunchTemplate
Properties:
...
LaunchTemplateData:
...
+ MetadataOptions:
+ HttpEndpoint: disabled
IMDSv2Enabled:
Type: AWS::EC2::LaunchTemplate
Properties:
...
LaunchTemplateData:
...
+ MetadataOptions:
+ HttpTokens: required