Login

Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Rule: EC2 Instances Should Use IMDSv2

Ensure EC2 instances are configured to use IMDSv2 for better security measures.

RuleEC2 instances should use IMDSv2
FrameworkNIST 800-53 Revision 5
Severity
Low

Rule Description:

EC2 instances should use Instance Metadata Service Version 2 (IMDSv2) to comply with NIST 800-53 Revision 5 security requirements. IMDSv2 provides enhanced security measures to protect sensitive metadata information within EC2 instances.

Rule Implementation:

To implement this rule, you need to enable IMDSv2 for EC2 instances. IMDSv2 provides an improved security feature called session tokens, which help prevent malicious actors from accessing instance metadata.

Troubleshooting Steps:

  2. 1.
    Review EC2 instance configuration: Check if your EC2 instances are currently using IMDSv1 or IMDSv2.
  4. 2.
    Ensure the latest AWS CLI version: Make sure you have the latest version of AWS CLI installed to support IMDSv2.
  6. 3.
    Check security group rules: Verify that inbound and outbound rules for the instance's security group allow access to the IMDSv2 endpoint.

Necessary Codes:

  2. 1.
    To enable IMDSv2 using AWS CLI, execute the following command:
aws ec2 modify-instance-metadata-options --instance-id <INSTANCE_ID> --http-tokens required --http-endpoint enabled

Replace 

<INSTANCE_ID>
with the ID of the EC2 instance you want to modify.

Remediation Steps:

Follow these step-by-step instructions to enable IMDSv2 for EC2 instances using AWS CLI:

  2. 1.
    Open a terminal or command prompt.
  4. 2.
    Install or update the AWS CLI to the latest version if you haven't already.
  6. 3.
    Authenticate with your AWS credentials using the 
    aws configure
    command.
  8. 4.
    Run the following command to enable IMDSv2 for the desired EC2 instance:
aws ec2 modify-instance-metadata-options --instance-id <INSTANCE_ID> --http-tokens required --http-endpoint enabled

Replace 

<INSTANCE_ID>
with the ID of the EC2 instance you want to modify. 5. Validate the modification by running the following command:

aws ec2 describe-instance-metadata-options --instance-id <INSTANCE_ID>

Replace 

<INSTANCE_ID>
with the same instance ID used in the previous step. 6. Confirm that the output shows 
"HttpTokens": "required"
and 
"HttpEndpoint": "enabled"
. This indicates that IMDSv2 is successfully enabled.

By following these steps, you can ensure that your EC2 instances are using IMDSv2 to meet the security requirements of NIST 800-53 Revision 5.

Is your System Free of Underlying Vulnerabilities?
Find Out Now