Rule: EC2 Instances Should Use IMDSv2
This rule ensures secure configuration by using IMDSv2 for EC2 instances.
| Rule | EC2 instances should use IMDSv2 |
| Framework | NIST 800-53 Revision 5 |
| Severity | ✔ Low |
Rule Description: EC2 instances should use IMDSv2 for NIST 800-53 Revision 5
The NIST 800-53 Revision 5 provides guidelines for securing and managing information systems in the Federal Government. This rule specifically focuses on the requirement for EC2 instances to utilize IMDSv2 (Instance Metadata Service Version 2) for improved security.
The Instance Metadata Service (IMDS) allows EC2 instances to retrieve metadata about themselves and their associated resources. IMDSv1, the older version, has some security vulnerabilities that can be exploited to gain unauthorized access or sensitive data. IMDSv2 addresses these vulnerabilities and provides additional safeguards.
By following this rule and enabling IMDSv2 on EC2 instances, you ensure that your infrastructure is in compliance with NIST 800-53 Revision 5 security standards.
Troubleshooting Steps (if applicable):
If you encounter any issues while implementing IMDSv2, you can follow these troubleshooting steps:
- 1.
Verify EC2 instance compatibility: Ensure that the EC2 instance you are working with is compatible with IMDSv2. Amazon Linux 2, Windows Server 2019, and later versions are IMDSv2 compatible.
- 2.
Check instance metadata endpoint: Review the instance metadata endpoint configuration to confirm if IMDSv2 is enabled. Use the following command on a running instance to retrieve the metadata endpoint:
curl http://169.254.169.254/latest/meta-data/Ensure that the response includes the header
, indicating that IMDSv2 is enabled.IMDSv2-Token - 3.
Update EC2 instance metadata service: If IMDSv2 is not enabled, you need to update the EC2 instance metadata service to enable it. Stop the instance, enable IMDSv2, and then restart the instance.
Necessary Codes (if applicable):
You may need to run the following commands to enable IMDSv2 on EC2 instances:
- 1.
Enable IMDSv2 on an instance (requires AWS CLI version 2.x or later):
aws ec2 modify-instance-metadata-options --instance-id <instance_id> --http-token-requiredMake sure to replace
with the actual ID of the EC2 instance you want to enable IMDSv2 for.<instance_id> - 2.
Restart the EC2 instance to apply the changes.
Step-by-Step Guide for Remediation:
Follow these steps to enable IMDSv2 on an EC2 instance to comply with NIST 800-53 Revision 5 security standards:
- 1.
Log in to the AWS Management Console and navigate to the EC2 Dashboard.
- 2.
Identify the EC2 instance(s) that need to be configured for IMDSv2. Ensure that the instances are compatible with IMDSv2 (e.g., using Amazon Linux 2, Windows Server 2019, or later versions).
- 3.
Note down the Instance ID(s) of the target instances.
- 4.
Open a terminal or command prompt and configure AWS CLI by running:
aws configureEnter your AWS Access Key ID, Secret Access Key, default region, and output format when prompted.
- 5.
Enable IMDSv2 on the EC2 instance using the following command:
aws ec2 modify-instance-metadata-options --instance-id <instance_id> --http-token-requiredReplace
with the actual Instance ID noted earlier. If you have multiple instances, run this command for each respective instance.<instance_id> - 6.
Restart the instance(s) using the AWS CLI or the EC2 Management Console to apply the changes.
- 7.
Confirm that IMDSv2 is enabled by running the following command on the instance:
curl http://169.254.169.254/latest/meta-data/Ensure that the response includes the header
, indicating that IMDSv2 is successfully enabled.IMDSv2-Token
Following these steps will ensure that your EC2 instances utilize IMDSv2, aligning with the security requirements of NIST 800-53 Revision 5.