EC2 instance requires IMDSv2 or has the instance metadata service disabled
ec2_instance_imdsv2_enabled
EC2 instances are evaluated for IMDSv2 enforcement: metadata endpoint enabled with http_tokens: required, or metadata service fully disabled (http_endpoint: disabled).
Risk
Permitting IMDSv1 or optional tokens lets SSRF or compromised workloads retrieve temporary IAM credentials, impacting confidentiality and integrity. Stolen role creds can drive privilege escalation, unauthorized data access, and lateral movement across AWS resources.
prowler aws --checks ec2_instance_imdsv2_enabled
Recommendation
Apply defense in depth:
- Require IMDSv2 tokens on all instances (
http_tokens: required) - Disable metadata where not needed (
http_endpoint: disabled) - Minimize hop limit to
1when feasible - Update SDKs/apps for IMDSv2
- Restrict instance profile permissions (least privilege)
- Block metadata access from untrusted workloads
Remediation
aws ec2 modify-instance-metadata-options --instance-id <instance-id> --http-tokens required --http-endpoint enabled
- In AWS Console, go to EC2 > Instances
- Select the instance > Actions > Instance settings > Modify instance metadata options
- Set Metadata version to IMDSv2 only (HTTP tokens: Required)
- Ensure Instance metadata service is Enabled (or set to Disabled to turn off IMDS entirely)
- Click Save
Source Code
Resource Type
AwsEc2Instance
References
- https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/EC2/require-imds-v2.html
- https://support.icompaas.com/support/solutions/articles/62000234166-5-7-ensure-that-the-ec2-metadata-service-only-allows-imdsv2-automated-
- https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html#configuring-instance-metadata-options