Login

Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Rule: EC2 Instances Should Use IMDSv2

This rule ensures EC2 instances use IMDSv2 for enhanced security.

RuleEC2 instances should use IMDSv2
FrameworkNIST 800-53 Revision 5
Severity
Low

Rule Description

EC2 instances should use IMDSv2 (Instance Metadata Service Version 2) to comply with the NIST 800-53 Revision 5 security requirement. IMDSv2 provides enhanced security controls for accessing instance metadata, reducing the risk of sensitive information exposure.

Troubleshooting Steps

If you encounter any issues while enabling or using IMDSv2, follow these troubleshooting steps:

  2. 1.

    Verify Instance Metadata Service Version: Check if the EC2 instances are running on a supported image that includes IMDSv2 support. IMDSv2 is available on the following Amazon Machine Images (AMIs) released after July 10, 2019:

    • Amazon Linux 2: 2.0.20190618 or later
    • Ubuntu: 18.04-LTS or later
    • Windows Server: 2019 or later
  4. 2.

    Upgrade Instance Operating System: If your instances are running on an older version of the supported operating systems, consider upgrading to a newer version that includes IMDSv2 support.

  6. 3.

    Verify EC2 Instance Metadata Options: Confirm that the EC2 instance has IMDSv2 enabled in its metadata options. Verify that the instance has the following options set to true:

    • httpTokens
      : 
      required
    • httpPutResponseHopLimit
      : 
      1
    • httpEndpoint
      : 
      enabled
  8. 4.

    Check Security Group Rules: Ensure that the security groups associated with the EC2 instances allow outgoing traffic on port 80 (HTTP) or port 443 (HTTPS). IMDSv2 uses these ports to access instance metadata.

  10. 5.

    Troubleshoot Connectivity Issues: Verify that the EC2 instances have proper internet connectivity, and there are no network configurations or firewall rules blocking the required communication.

Code Example

To enable IMDSv2 for an EC2 instance, you can use the AWS Command Line Interface (CLI) with the following command:

aws ec2 modify-instance-metadata-options --instance-id <instance-id> --http-endpoint enabled --http-tokens required

Replace 

<instance-id>
with the actual ID of the EC2 instance for which you want to enable IMDSv2.

Remediation Steps

Follow these step-by-step instructions to remediate EC2 instances and enable IMDSv2:

  2. 1.

    Identify the EC2 instance(s): Determine the instance(s) that need to be updated to use IMDSv2. Collect the instance IDs.

  4. 2.

    Configure AWS CLI: Ensure that you have the AWS CLI installed and configured on your local machine. You can find installation instructions and configuration steps in the AWS CLI User Guide.

  6. 3.

    Enable IMDSv2 using AWS CLI: Open a terminal or command prompt and run the following command, replacing 

    <instance-id>
    with the actual ID of the EC2 instance:

    aws ec2 modify-instance-metadata-options --instance-id <instance-id> --http-endpoint enabled --http-tokens required
  8. 4.

    Validate IMDSv2: Verify whether IMDSv2 is successfully enabled on the EC2 instance(s) by using the following command:

    aws ec2 describe-instance-metadata-options --instance-ids <instance-id> --query 'InstanceMetadataOptionsState'

    If the command returns 

    "enabled"
    , IMDSv2 has been successfully enabled.

  10. 5.

    Repeat Steps 3-4 for any additional EC2 instances that need IMDSv2 enabled.

By following these steps, you ensure that the EC2 instances utilize IMDSv2 as required by the NIST 800-53 Revision 5 standard.

Is your System Free of Underlying Vulnerabilities?
Find Out Now