Skip to content

aws-legacy-instance-meta

Ensure Instance Metadata Service Version 1 is not enabled

It is highly recommended to discontinue the usage of the legacy Instance Metadata Service Version 1 (IMDSv1) as leaving it on could increase the chances that an SSRF (Server-Side Request Forgery) vulnerability could be exploited to great effect. IMDSv2 provides better protection of the metadata service by mandating that extra headers are passed, which would mitigate an SSRF in a hosted Web Application from interacting with it.

Examples

Insecure Example

resource "aws_launch_template" "foo" {
  name = "foo"
  metadata_options {
    http_endpoint               = "disabled"
    http_tokens                 = "optional"
  }
  ...
}
{
  "Type" : "AWS::EC2::LaunchTemplate",
  "Properties" : {
      "LaunchTemplateName" : "foo",
      "LaunchTemplateData" : {
          "MetadataOptions" : {
              "HttpEndpoint" : "disabled",
              "HttpTokens" : "optional"
          }
      }
    }
}

Secure Example

resource "aws_launch_template" "foo" {
  name = "foo"
  metadata_options {
    http_endpoint               = "enabled"
    http_tokens                 = "required"
  }
  ...
}
{
  "Type" : "AWS::EC2::LaunchTemplate",
  "Properties" : {
      "LaunchTemplateName" : "foo",
      "LaunchTemplateData" : {
          "MetadataOptions" : {
              "HttpEndpoint" : "enabled",
              "HttpTokens" : "required"
          }
      }
    }
}

More information