Rule: EC2 Instances Should Use IMDSv2
This rule highlights the requirement for EC2 instances to utilize IMDSv2 for enhanced security measures.
| Rule | EC2 instances should use IMDSv2 |
| Framework | GxP 21 CFR Part 11 |
| Severity | ✔ Low |
Rule/policy description
This rule/policy ensures that EC2 instances utilize IMDSv2 (Instance Metadata Service Version 2) to comply with the requirements of GxP (Good Practice) 21 CFR Part 11.
IMDSv2 is a more secure and enhanced version of the Instance Metadata Service, which provides information about EC2 instance metadata. By enabling IMDSv2, EC2 instances can ensure stronger security measures and protect sensitive information, aligning with the strict regulations of GxP 21 CFR Part 11.
Troubleshooting steps (if applicable)
If you encounter any issues while enabling IMDSv2 or accessing EC2 instance metadata, follow these troubleshooting steps:
- 1.
Ensure that your EC2 instances are running a supported operating system version. IMDSv2 is supported on Amazon Machine Images (AMIs) based on Amazon Linux 2, AWS WAF, and newer Amazon-provided Windows AMIs.
- 2.
Verify that your EC2 instance has the necessary IAM (Identity and Access Management) permissions to access the instance metadata. Check your instance profile or IAM role attached to the instance and ensure it has the required permissions.
- 3.
Double-check the network connectivity between your EC2 instance and the Instance Metadata Service. Ensure there are no network access control lists (ACLs), security group rules, or network-level firewalls blocking the traffic.
- 4.
If you are using an older version of the AWS Command Line Interface (CLI), update it to the latest version to ensure compatibility with IMDSv2. Use the command
to check your current CLI version, and update it using the appropriate method for your operating system.aws --version - 5.
Verify that you have correctly enabled IMDSv2 on your EC2 instances. Refer to the next section for step-by-step guidance on how to enable IMDSv2 using the AWS CLI.
Enabling IMDSv2 using AWS CLI
To enable IMDSv2 on your EC2 instances, follow these step-by-step instructions:
- 1.
Install and configure the AWS CLI on your local machine or EC2 instance, if not already done.
- 2.
Open your preferred command-line interface (CLI) or terminal.
- 3.
Run the following command to set the default instance profile for the AWS CLI:
aws configure set cli_default_instance_profile <your-instance-profile>Replace
with the name of the instance profile attached to your EC2 instance.<your-instance-profile> - 4.
Verify the configuration by running this command:
aws configure get cli_default_instance_profileThis command should return the instance profile name.
- 5.
Run the following command to enable IMDSv2 on the EC2 instance:
aws ec2 update-instance-metadata-options --instance-id <your-instance-id> --http-endpoint enabled --http-token requiredReplace
with the ID of your EC2 instance.<your-instance-id> - 6.
Confirm the successful update by running this command:
aws ec2 describe-instance-metadata-options --instance-id <your-instance-id>The command output should include the
value set to"HttpEndpoint"
and"enabled"
value set to"HttpTokens"
."required"
Conclusion
By following the above instructions, you will successfully enable IMDSv2 on your EC2 instances, ensuring compliance with GxP 21 CFR Part 11. IMDSv2 provides an enhanced level of security for EC2 instance metadata, strengthening overall data protection.