EC2 launch template has IMDSv2 enabled and required or instance metadata service disabled
ec2_launch_template_imdsv2_required
EC2 launch templates are inspected for Instance Metadata Service configuration. It identifies versions where http_endpoint is enabled and http_tokens is required (IMDSv2 enforced), versions with the metadata service disabled, and versions that allow metadata without requiring tokens.
Risk
Allowing metadata access without IMDSv2 enables SSRF and open proxy paths to query instance metadata, exposing temporary credentials and secrets. Attackers can steal IAM role credentials to access data, modify resources, and pivot within the account, threatening confidentiality and integrity.
prowler aws --checks ec2_launch_template_imdsv2_required
Recommendation
Enforce IMDSv2 in all launch template versions by setting token use to required; disable the metadata service when not needed. Apply least privilege to instance roles and use defense in depth (egress filtering, input validation) to reduce SSRF paths. Ensure applications and SDKs are compatible with IMDSv2.
Remediation
aws ec2 create-launch-template-version --launch-template-id <example_resource_id> --source-version <example_source_version> --launch-template-data '{"MetadataOptions":{"HttpTokens":"required"}}'
- In the AWS Console, go to EC2 > Launch Templates
- Select the launch template, then choose Actions > Modify template (Create new version)
- Expand Advanced details > Metadata options
- Set Http tokens to Required (or disable Metadata accessible)
- Click Create template version
- (Optional) Set this new version as Default if you want it used for future launches
Source Code
Resource Type
AwsEc2LaunchTemplate