The Instance Metadata Service V2 (IMDSv2) is critical to ensuring that attackers using Server-Side Request Forgery (SSRF) attacks, a common credential theft tactic, do not gain access to temporary credentials from the instance profile. IMDSv2 introduces an additional token to the credential exchange process that can only be accessed on the system itself and can not be accessed from a request that originates outside of the instance. Enforcing IMDSv2 is a highly impactful and critical hardening measure.
A lack of enforcement of IMDSv2 makes other misconfigurations and in-code mistakes more impactful and risky. If an attacker gains access to instance metadata service credentials, your business could suffer financial and reputational harm.
EC2 instances can be associated with an instance role, giving them an AWS identity.
Any application running on the instance can then request temporary credentials for that role, through the Instance Metadata Service (IMDS).
The IMDSv2 is a more secure version of the IMDS that enforces a stateful communication, preventing SSRF exploits from accessing instance credentials. However, enabling it is not enough and it must be enforced on all running instances.
Teams should detect and measure the adoption and enforcement of IMDSv2 as part of a strong security posture.
Identify affected resources
Use the following command to identify EC2 instances that do not enforce usage of the IMDSv2:
aws ec2 describe-instances \ --filters "Name=metadata-options.http-tokens,Values=optional"
Remediate vulnerable resources
How Datadog can help
Cloud Security Management
Datadog Cloud Security Management detects this vulnerability using the out-of-the-box rule "Datadog CSPM Rule | EC2 instance uses IMDSv2".
Misconfiguration Spotlight: Securing the EC2 Instance Metadata Service
EC2 Instance Metadata SSRF
Privilege Escalation in EKS Leveraging the IMDS
Technical Analysis of the Capital One Cloud Misconfiguration Breach
Cloud Metadata Abuse by UNC2903