Compute instance legacy metadata service endpoint is disabled
compute_instance_legacy_metadata_endpoint_disabled
OCI compute instance metadata service is configured so legacy IMDS v1 endpoints are disabled, requiring session-authorized IMDS v2 requests for metadata access
Risk
Enabled IMDS v1 permits unauthenticated metadata reads via local access or SSRF, compromising confidentiality of instance credentials, SSH keys, and custom data. Stolen tokens enable cloud API abuse, driving privilege escalation, lateral movement, and unauthorized changes that impact integrity.
prowler oraclecloud --checks compute_instance_legacy_metadata_endpoint_disabled
Recommendation
Disable IMDS v1 and require IMDS v2 across all instances. Migrate applications to session-authorized requests and confirm image support. Enforce least privilege for instance principals, restrict untrusted processes from reaching 169.254.169.254, and monitor metadata access to provide defense in depth.
Remediation
oci compute instance update --instance-id <instance-ocid> --instance-options '{"areLegacyImdsEndpointsDisabled": true}'
- In the OCI Console, go to Compute > Instances
- Select <example_resource_name>
- In Instance Details, next to Instance metadata service, click Edit
- Set Allowed IMDS version to Version 2 only
- Click Save changes
Source Code
Resource Type
Instance