Instance Not Exclusively Using IMDSv2

EC2 instances that do not exclusively utilise the IMDSv2 endpoints utilise a weaker version of IMDS issued credentials that lack a number of protections against theft and misuse.

Details ¶

The AWS Instance Metadata Service (IMDS) is a feature accessible from each AWS EC2 instance. This service provides instance data, service information and IAM credentials based on the IAM Profile attached to the instance. A common use case is to provide an IAM role with the permissions intended to be utilised by services hosted on AWS instances. The role is attached to the instances as an EC2 IAM Profile, and credentials for this role are accessed via the IMDS.

The primary security concern is that the IMDS service can be a route to obtain credentials. Although the initial IMDS version was reasonably secure requiring access to the instance to obtain credentials and the IAM role itself limited to operation only from known endpoints, advancements in security have led to the development and release of IMDSv2. IMDSv2 is a thorough security upgrade with limited functional changes.

AWS IMDSv2 ¶

Using IMDSv2 requires updated AWS SDKs in the services that utilise the IMDS service such as the AWS CLI application or deployed SDKs. If you need to continue using old software that does not support the new SDK versions, it is crucial to update this software as soon as possible to allow for the migration to AMD’s2. Migrating to IMDSv2 across all intended applications will allow for the blocking of IMDSv1 and ensuring that all issued tokens across your AWS estate benefit from updated security protocols.

Using IMDSv2 ensures that:

• All tokens issued by IMDSv2 for the attached AWS IAM EC2 Profile for the instance will be time limited and unable to be utilised outside of the instance
• Tokens are session based and can be reused across multiple requests, creating a common chain of requests from an identified source
• Session tokens are blocked when they’re accompanied by Proxy Protocol headers indicating requests made from outside the local network
• No issued tokens are held in the IMDSv2 service, meaning that individual tokens - when used as intended, as in AWS provided SDKs - only remain in application memory and are lost forever on process termination
• Prevent improperly configured or default settings on non-AWS WAF firewalls from leaking credentials in headers via PUT method requirements
• Implement packet hop configuration to ensure that packets do not travel outside of the instance

Remediation ¶

SkySiege’s AWS Vulnerability Scan automatically detects this vulnerability across all AWS Regions with the report delivered the same day.

For actively running instances, you can disable the usage of IMDSv1 by setting the instances to require HTTP Tokens. This enforces the software making calls to the IMDS service to instead go through a full authentication flow to capture tokens via the IMDSv2 model.

Prior to implementing this it’s important to capture the usage of IMDSv1 services by enacting instance monitoring and tracking the Metadata Requests without a Token metric. This will give full details as to any instances where software is making use of the old IMDSv1 service. More details on this detection and instance monitoring in general is available through documentation for test AWS-EC2-8.

Monitoring is a key strategy of any environment, so if you wish to detect which instances are not being monitored as well as which instances are hosting outdated software using IMDSv1, find out more about our Automated Vulnerability Assessment: