Instance Metadata Service Version 2 (IMDSv2) for EC2 Instances.

[caiovfernandes]

Contact Details (optional)

No response

Summary

The objective os this issue is to force the usage of Instance Metadata Service Version 2 into our EC2 instances.

The terraform attribute to apply imsv2 in the aws_launch_template resource is the http_tokens.

The Instance Metadata Service (IMDS) is an on-instance component used by code on the instance to securely access instance metadata. You can access instance metadata from a running instance using one of the following methods:

Instance Metadata Service Version 1 (IMDSv1) – a request/response method
Instance Metadata Service Version 2 (IMDSv2) – a session-oriented method

As a request/response method IMDSv1 is prone to local misconfigurations:

• Open proxies, open NATs and routers, server-side reflection vulnerabilities.
• One way or another, local software might access local-only data.

File to modify

ec2-launch-template.tf

Resource: aws_launch_template
Arguments: http_tokens - (Optional) Whether or not the metadata service requires session tokens, the mechanism used for Instance Metadata Service Version 2. Can be "optional" or "required". (Default: "optional"). Set to "required" to enable Instance Metadata Service V2.

Usage example :

resource "aws_launch_template" "example" {
  ...
    metadata_options {
            ...
           http_endpoint = "enabled"
           http_tokens   = "required"
    }
  ...
}

Attention point

If setting http_tokens = "required" in a launch template that is being used for a EKS worker/node group, you should consider setting the http_put_response_hop_limit = 2 per the default behavior in EKS.
Without this setting the default service account in EKS will not be able to access the instance metadata service.

Motivation

As described in AWS Foundational Security Best Practices controls, the EC2 instances should use IMDSv2.

This control checks whether your EC2 instance metadata version is configured with Instance Metadata Service Version 2 (IMDSv2). The control passes if HttpTokens is set to required for IMDSv2. The control fails if HttpTokens is set to optional.

You use instance metadata to configure or manage the running instance. The IMDS provides access to temporary, frequently rotated credentials. These credentials remove the need to hard code or distribute sensitive credentials to instances manually or programmatically. The IMDS is attached locally to every EC2 instance. It runs on a special "link local" IP address of 169.254.169.254. This IP address is only accessible by software that runs on the instance.

Version 2 of the IMDS adds new protections for the following types of vulnerabilities. These vulnerabilities could be used to try to access the IMDS.

• Open website application firewalls
• Open reverse proxies
• Server-side request forgery (SSRF) vulnerabilities
• Open Layer 3 firewalls and network address translation (NAT)
• Security Hub recommends that you configure your EC2 instances with IMDSv2.

Alternatives

No response

Additional Context

References

ec2-imdsv2-check
Amazon EKS now supports EC2 Instance Metadata Service v2
Resource aws_launch_template

Code of Conduct

• I agree to follow this project's Code of Conduct