aws vulnerabilities ec2 EC2 instance without IMDSv2 enforced

EC2 instance without IMDSv2 enforced

PLATFORM

SERVICE

ec2

DATA BREACHES

known

LAST UPDATED

EXPLOITABILITY Exploitability of a vulnerability measures how easy it is for an attacker to discover and exploit the vulnerability, some might refer to this as likelihood.

IMPACT How impactful to your environment and organization a successful exploitation of this vulnerability is expected to be.

low

high

About

The Instance Metadata Service V2 (IMDSv2) is critical to ensuring that attackers using Server-Side Request Forgery (SSRF) attacks, a common credential theft tactic, do not gain access to temporary credentials from the instance profile. IMDSv2 introduces an additional token to the credential exchange process that can only be accessed on the system itself and can not be accessed from a request that originates outside of the instance. Enforcing IMDSv2 is a highly impactful and critical hardening measure.

Understanding Impact

Business Impact

A lack of enforcement of IMDSv2 makes other misconfigurations and in-code mistakes more impactful and risky. If an attacker gains access to instance metadata service credentials, your business could suffer financial and reputational harm.

Technical Impact

EC2 instances can be associated with an instance role, giving them an AWS identity.

Any application running on the instance can then request temporary credentials for that role, through the Instance Metadata Service (IMDS).

The IMDSv2 is a more secure version of the IMDS that enforces a stateful communication, preventing SSRF exploits from accessing instance credentials. However, enabling it is not enough and it must be enforced on all running instances.

Teams should detect and measure the adoption and enforcement of IMDSv2 as part of a strong security posture.

Identify affected resources

Use the following command to identify EC2 instances that do not enforce usage of the IMDSv2:

aws ec2 describe-instances \
  --filters "Name=metadata-options.http-tokens,Values=optional"

Remediate vulnerable resources

When running EC2 instances, enforce usage of IMDSv2. You can also change the settings of running instances to enforce it using aws ec2 modify-instance-metadata-options.

How Datadog can help

Cloud Security Management

Datadog Cloud Security Management detects this vulnerability using the out-of-the-box rule "Datadog CSM Misconfigurations Rule | EC2 instances should enforce IMDSv2".

References

Misconfiguration Spotlight: Securing the EC2 Instance Metadata Service

securitylabs.datadoghq.com

IMDSv2

aws documentation

EC2 Instance Metadata SSRF

hackingthe.cloud

Privilege Escalation in EKS Leveraging the IMDS

blog.christophetd.fr

Technical Analysis of the Capital One Cloud Misconfiguration Breach

web.archive.org

Cloud Metadata Abuse by UNC2903

mandiant.com

Did you find this article helpful?

work with us

We're always looking for talented people to collaborate with

featured positions

We have 10 positions

view all