Prowler HUB

Amazon EC2 launch templates should have IMDSv2 enabled and required.

ec2_launch_template_imdsv2_required

Severityhigh

Serviceec2

This control checks if Amazon EC2 launch templates are configured with IMDSv2 enabled and required. The control fails if IMDSv2 is not enabled or required in the launch template versions.

Risk

Without IMDSv2 required, EC2 instances may be vulnerable to metadata service attacks, allowing unauthorized access to instance metadata, potentially leading to compromise of instance credentials or other sensitive data.

Run this check with Prowler CLI

prowler aws --checks ec2_launch_template_imdsv2_required

Run in Prowler Cloud

ARN template

arn:aws:ec2:region:account-id:launch-template/resource-id

Recommendation

To ensure EC2 launch templates have IMDSv2 enabled and required, update the template to configure the Instance Metadata Service Version 2 as required.

Remediation

CLI

aws ec2 modify-launch-template --launch-template-id <template-id> --version <version-number> --metadata-options HttpTokens=required

Other

https://docs.aws.amazon.com/securityhub/latest/userguide/ec2-controls.html#ec2-170

Source Code

Resource Type

AwsEc2LaunchTemplate

References

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html

Check MetadataEdit

Check CodeEdit