Rule: EC2 Instances Should Use IMDSv2

This rule ensures that EC2 instances follow best practices by using IMDSv2 for improved security.

Rule	EC2 instances should use IMDSv2
Framework	FedRAMP Low Revision 4
Severity	✔ Low

Rule Description

To comply with the FedRAMP Low Revision 4 security requirements, all Amazon Elastic Compute Cloud (EC2) instances should use the Instance Metadata Service Version 2 (IMDSv2). IMDSv2 enhances the security of EC2 instances by providing advanced protection against common security threats, including server-side request forgery (SSRF) attacks.

Troubleshooting Steps

If an EC2 instance is not using IMDSv2, you may encounter the following issues:

1.
Vulnerability to SSRF attacks: Without IMDSv2, the instance metadata service is susceptible to unauthorized access and potential SSRF attacks.

Necessary Code

To enable IMDSv2 for your EC2 instances, you need to modify the instance's metadata service access control policy. Here is an example of the code required:

aws ec2 modify-instance-metadata-options --instance-id <instance-id> --http-tokens required --http-endpoint enabled

Replace

<instance-id>

with the actual instance ID you want to update.

Step-by-Step Guide for Remediation

Follow the steps below to enable IMDSv2 for your EC2 instances:

1.

Identify the EC2 instances that need IMDSv2 enabled. You can use the AWS Management Console, AWS Command Line Interface (CLI), or SDKs/APIs to access EC2 resources.

For each identified instance, open a terminal or command prompt and execute the following command:

aws ec2 modify-instance-metadata-options --instance-id <instance-id> --http-tokens required --http-endpoint enabled

Replace

<instance-id>

with the actual instance ID you want to update.

3.
Verify that IMDSv2 is enabled for the instance by executing the following command:
```
aws ec2 describe-instance-metadata-options --instance-id <instance-id>
```
Confirm that the output displays
```
"HttpTokens": "required"
```
and
```
"HttpEndpoint": "enabled"
```
.

4.

Repeat the above steps for each EC2 instance that needs IMDSv2 enabled.

Conclusion

By following the steps and configuring your EC2 instances to use IMDSv2, you will ensure compliance with the FedRAMP Low Revision 4 requirements and enhance the security posture of your application infrastructure.

Rule: EC2 Instances Should Use IMDSv2

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}Rule Description

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}Troubleshooting Steps

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}Necessary Code

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}Step-by-Step Guide for Remediation

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}Conclusion

Is your System Free of Underlying Vulnerabilities? Find Out Now

Rule Description

Troubleshooting Steps

Necessary Code

Step-by-Step Guide for Remediation

Conclusion

Is your System Free of Underlying Vulnerabilities?
Find Out Now