Auto Scaling group enforces IMDSv2 or disables the instance metadata service
autoscaling_group_launch_configuration_requires_imdsv2
Amazon EC2 Auto Scaling launch configurations are evaluated for Instance Metadata Service settings. Instances should have the metadata endpoint enabled with http_tokens=required (enforcing IMDSv2), or have the metadata service disabled.
Allowing http_tokens=optional or omitting the version leaves legacy access enabled.
Risk
Without enforced IMDSv2, SSRF and local escape paths can access IAM role credentials, enabling unauthorized API calls.
Attackers could:
- Exfiltrate data with stolen tokens
- Move laterally and modify resources, degrading confidentiality and integrity
prowler aws --checks autoscaling_group_launch_configuration_requires_imdsv2
Recommendation
Require IMDSv2 for Auto Scaling-launched instances by setting http_tokens=required when metadata is enabled. If metadata is not needed, disable it.
Apply least privilege to instance roles, set IMDSv2 as an account default, and use defense in depth (egress filtering, SSRF protections) to limit exposure.
Remediation
aws autoscaling create-launch-configuration --launch-configuration-name <new-launch-config> --image-id <AMI_ID> --instance-type <INSTANCE_TYPE> --metadata-options 'HttpTokens=required,HttpEndpoint=enabled'
- In the AWS Console, go to EC2 > Auto Scaling > Launch configurations
- Click Create launch configuration and choose the same AMI and instance type used by the group
- Expand Advanced details and set Metadata options to: Metadata accessible = Enabled, Metadata version = V2 only (token required)
- Create the launch configuration
- Go to EC2 > Auto Scaling > Auto Scaling groups, select the group, click Edit
- Under Launch configuration, select the new launch configuration and Save
- (Alternative) To disable IMDS entirely: when creating the launch configuration, set Metadata accessible = Disabled
Source Code
Resource Type
AwsAutoScalingAutoScalingGroup
References
- https://trendmicro.com/cloudoneconformity/knowledge-base/aws/EC2/require-imds-v2.html
- https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-IMDS-new-instances.html
- https://docs.aws.amazon.com/securityhub/latest/userguide/autoscaling-controls.html#autoscaling-3
- https://aws.plainenglish.io/dont-let-metadata-leak-why-imdsv2-is-a-must-and-how-to-migrate-a88e1e285394