Check provider logo

Check if EC2 Instance Metadata Service Version 2 (IMDSv2) is Enabled and Required.

ec2_instance_imdsv2_enabled

Severityhigh
Serviceec2
by Prowler

Check if EC2 Instance Metadata Service Version 2 (IMDSv2) is Enabled and Required.

Risk

Using IMDSv2 will protect from misconfiguration and SSRF vulnerabilities. IMDSv1 will not.

Run this check with Prowler CLI

prowler aws --checks ec2_instance_imdsv2_enabled

Run in Prowler Cloud
ARN template
arn:partition:service:region:account-id:resource-id

Recommendation

If you don't need IMDS you can turn it off. Using aws-cli you can force the instance to use only IMDSv2.

Remediation

CLI

aws ec2 modify-instance-metadata-options --instance-id <instance-id> --http-tokens required --http-endpoint enabled

Native IAC

https://docs.prowler.com/checks/aws/general-policies/bc_aws_general_31#cloudformation

Terraform

https://docs.prowler.com/checks/aws/general-policies/bc_aws_general_31#terraform

Other

https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/EC2/require-imds-v2.html

Source Code

Resource Type

AwsEc2Instance