Rule: EC2 Instances Should Use IMDSv2

This rule states that all EC2 instances must utilize IMDSv2 for improved security measures.

Rule	EC2 instances should use IMDSv2
Framework	NIST 800-53 Revision 5
Severity	✔ Low

Rule Description

The rule requires that EC2 instances within the AWS environment use IMDSv2 (Instance Metadata Service version 2) for compliance with NIST 800-53 Revision 5. IMDSv2 enhances the security of the instance metadata service by adding additional protection against potential exploitation.

Troubleshooting Steps

If an EC2 instance is found not using IMDSv2, follow these troubleshooting steps:

1.
Verify Instance Metadata Options: Check the instance metadata options for the EC2 instance in question.

2.
Enable IMDSv2: If IMDSv2 is not already enabled, update the instance metadata options to enable IMDSv2.

3.
Restart the Instance: If the instance metadata options were updated to enable IMDSv2, restart the EC2 instance to apply the changes.

Necessary Code

To enable IMDSv2 for an EC2 instance, you can use the AWS CLI or SDKs.

AWS CLI Command

Use the following AWS CLI command to modify IMDS version:

aws ec2 modify-instance-metadata-options --instance-id <instance-id> --http-put-response-hop-limit 2 --http-put-response-metadata-length 16384 --http-tokens required

Replace

<instance-id>

with the actual ID of the EC2 instance in question.

SDKs

Refer to the documentation of the specific SDK you are using to modify the IMDS version programmatically.

Step-by-Step Guide for Remediation

Follow these steps to enable IMDSv2 for an EC2 instance:

1.
Open the AWS Management Console.

2.
Go to the EC2 service.

3.
Select the EC2 instance that needs to be modified.

4.
Note down the instance ID of the selected EC2 instance.

5.
Open the AWS CLI or use the SDK of your preference.

6.
Run the AWS CLI command mentioned above, replacing
```
<instance-id>
```
with the instance ID noted in step 4.

7.
Wait for the command to complete.

8.
Restart the EC2 instance using the following AWS CLI command:

aws ec2 reboot-instances --instance-ids <instance-id>

Replace

<instance-id>

with the instance ID noted earlier. 9. Verify that the EC2 instance has successfully restarted. 10. Confirm that IMDSv2 is now enabled for the EC2 instance.

Note: It is recommended to test any changes in a non-production environment before applying them to production instances to avoid any potential disruptions.

Rule: EC2 Instances Should Use IMDSv2

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}AWS CLI Command

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}SDKs

Is your System Free of Underlying Vulnerabilities? Find Out Now

AWS CLI Command

SDKs

Is your System Free of Underlying Vulnerabilities?
Find Out Now