Ensure Instance Metadata Service version 1 is not enabled

Error: Instance Metadata Service version 1 is enabled

Bridgecrew Policy ID: BC_AWS_GENERAL_31
Checkov Check ID: CKV_AWS_79
Severity: LOW

Instance Metadata Service version 1 is enabled

Description

The Instance Metadata Service (IMDS) is an on-instance component used by code on the instance to securely access instance metadata. You can access instance metadata from a running instance using one of the following methods:

  • Instance Metadata Service Version 1 (IMDSv1) – a request/response method
  • Instance Metadata Service Version 2 (IMDSv2) – a session-oriented method

As a request/response method IMDSv1 is prone to local misconfigurations:

  • Open proxies, open NATs and routers, server-side reflection vulnerabilities.
  • One way or another, local software might access local-only data.

Fix - Buildtime

Terraform

  • Resource: aws_instance
  • Arguments: http_tokens - (Optional) Whether or not the metadata service requires session tokens, the mechanism used for Instance Metadata Service Version 2. Can be "optional" or "required". (Default: "optional"). Set to "required" to enable Instance Metadata Service V2.

Alternatively, disable the metadata service altogether by setting http_endpoint = "disabled".

resource "aws_instance" "example" {
  ...
  instance_type     = "t2.micro"
+   metadata_options {
        ...
+       http_endpoint = "enabled"
+       http_tokens   = "required"
+  }
  ...
}

If setting http_tokens = "required" in a launch template that is being used for a EKS worker/node group, you should consider setting the http_put_response_hop_limit = 2 per the default behavior in EKS.
Without this setting the default service account in EKS will not be able to access the instance metadata service.

CloudFormation

  • Resource: AWS::EC2::LaunchTemplate
  • Arguments: Properties.MetadataOptions.HttpEndpoint / Properties.MetadataOptions.HttpTokens
Resources:
  IMDSv1Disabled:
    Type: AWS::EC2::LaunchTemplate
    Properties:
        ...
      LaunchTemplateData:
        ...
+       MetadataOptions:
+         HttpEndpoint: disabled
          
  IMDSv2Enabled:
    Type: AWS::EC2::LaunchTemplate
    Properties:
      ...
      LaunchTemplateData:
        ...
+       MetadataOptions:
+         HttpTokens: required

Did this page help you?