IMDSv2 is required by default for EC2 instances at the account level
ec2_instance_account_imdsv2_enabled
EC2 account IMDS defaults with http_tokens=required ensure new instances in the Region use IMDSv2 by default and disable IMDSv1. Existing instances keep their current setting.
Risk
Without a default of IMDSv2, new instances may enable IMDSv1, exposing metadata via simple HTTP. SSRF or proxy misconfigs can steal temporary IAM credentials, enabling data exfiltration (confidentiality), unauthorized API changes (integrity), and lateral movement that can disrupt services (availability).
prowler aws --checks ec2_instance_account_imdsv2_enabled
prowler aws --checks ec2_instance_account_imdsv2_enabled --fixer
Recommendation
Enforce IMDSv2 at the account level in every Region by setting http_tokens to required. Add guardrails with SCP/IAM conditions. Standardize AMIs and launch templates to require tokens, validate workload compatibility, and apply least privilege to instance roles for defense in depth. For containers, prefer hop limit 2.
Remediation
aws ec2 modify-instance-metadata-defaults --region <region> --http-tokens required
- In the AWS Console, open EC2 and select the target Region
- Go to EC2 Dashboard > Account attributes > Data protection and security
- Next to IMDS defaults, click Manage
- Set Metadata version to V2 only (token required)
- Click Update
Source Code
Resource Type
AwsEc2Instance
References