Instances do not have monitoring enabled, causing a large amount of data loss that can indicate compromiseand breaches
AWS provides basic monitoring of EC2 Instances as standard with free metric tracking for each instance stored by AWS Cloudwatch. This monitoring tracks key EC2 instance metrics including:
As monitoring of these metrics are included with the AWS Free Tier and therefore do not have a cost implication in their collection and analysis, not having Instances configured to collect these metrics is a net loss of data that can directly alert to and indicate a compromise.
Utilisation metrics often indicate compromise as unusual activity patterns such as additional computation, disk or network activity correlate with malicious activity such as:
When running IMDSv2 as described in this documentation, there should be no attempts to utilise the IMDSv1 service. The metric Metadata No Token Rejected indicates that requests were made to the IMDSv2 service without providing a session token indicating either outdated software. Should all intended software be updated to utilise IMDSv2 then this would indicate unintended software is attempting to utilise the IMDSv2 service and should be investigated.
Similarly, if in the process of migrating to IMDSv2, the metric Metadata Requests without a Token indicate which instances are still making requests without an IMDSv2 token and therefore are still hosting old software which would need to be updated.
SkySiege’s AWS Vulnerability Scan automatically detects this vulnerability across all AWS Regions with the report delivered the same day.
Remediation simply requires activation of monitoring on each instance. This may be difficult to detect across a number of instances but as a focused task can be achieved in good time. The key aspect to this is to ensure that all instances remain monitored and that all new instances are also configured to initialise with monitoring enabled. Enforcing this usually requires migration of all instances to Auto Scaling Groups or other managed orchestration tools to ensure that each instance is configured correctly.
Another key aspect is to continuously monitor instances to ensure that new instances are not missing key configuration. SkySiege’s Vulnerability Assessment tools perform this detection the same day providing the fastest detection in the industry: