Amazon EC2 launch templates should have IMDSv2 enabled and required.
ec2_launch_template_imdsv2_required
This control checks if Amazon EC2 launch templates are configured with IMDSv2 enabled and required. The control fails if IMDSv2 is not enabled or required in the launch template versions.
Risk
Without IMDSv2 required, EC2 instances may be vulnerable to metadata service attacks, allowing unauthorized access to instance metadata, potentially leading to compromise of instance credentials or other sensitive data.
Run this check with Prowler CLI
prowler aws --checks ec2_launch_template_imdsv2_required
ARN template
arn:aws:ec2:region:account-id:launch-template/resource-id
Remediation
aws ec2 modify-launch-template --launch-template-id <template-id> --version <version-number> --metadata-options HttpTokens=required
https://docs.aws.amazon.com/securityhub/latest/userguide/ec2-controls.html#ec2-170
To ensure EC2 launch templates have IMDSv2 enabled and required, update the template to configure the Instance Metadata Service Version 2 as required.
Source Code
References
Resource Type
AwsEc2LaunchTemplate