AWS EC2 instance not configured with Instance Metadata Service v2 (IMDSv2)
Description
The Instance Metadata Service (IMDS) is an on-instance component used by code on the instance to securely access instance metadata.
You can access instance metadata from a running instance using one of the following methods:
- Instance Metadata Service Version 1 (IMDSv1) -- a request/response method
- Instance Metadata Service Version 2 (IMDSv2) -- a session-oriented method
As a request/response method IMDSv1 is prone to local misconfigurations:
- Open proxies, open NATs and routers, server-side reflection vulnerabilities.
- One way or another, local software might access local-only data.
Code Example
go
resource "aws_instance" "example" {
...
instance_type = "t2.micro"
+ metadata_options {
...
+ http_endpoint = "enabled"
+ http_tokens = "required"
+ }
...
}Remediation
Terraform
- Resource: aws_instance
- Arguments: http_tokens - (Optional) Whether or not the metadata service requires session tokens, the mechanism used for Instance Metadata Service Version 2.
Can be "optional" or "required". (Default: "optional"). Set to "required" to enable Instance Metadata Service V2. Alternatively, disable the metadata service altogether by setting `http_endpoint = "disabled"`.
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0132 |
| Severity | HIGH |
| IaC Type | Cloudformation |
| Frameworks | CloudFormation, Terraform, TerraformPlan, Serverless |
| Checkov ID | CKV_AWS_79 |