How to Secure your Instance Metadata Service on AWS

BLOG ARTICLE

How to Secure your Instance Metadata Service on AWS

Introduction

In this two-part series, I will explain and demonstrate how to update your EC2 instances to use IMDSv2 as well as automate this process through the use of SSM Documents that can be provisioned within your CloudFormation templates.

What is IMDS

IMDS, or Instance Metadata Service, is an on-instance component that makes instance metadata accessible to our code. Instance metadata is data that explicitly relates to the EC2 instance that we can use to configure our apps and the running instance itself. By running the below command, users can view specific metadata details, such as instance-id, instance-type etc.

However, by using the above command we can uncover details about the IAM role, profile and specific security credentials which is a vulnerability with IMDSv1.Currently, IMDS has two distinct versions. IMDSv1 utilises an unauthenticated HTTP endpoint for accessing instance metadata and has been the main version of IMDS, until…. IMDSv2. 

IMDSv2 is the latest version of IMDS and utilises session-oriented token requests (HttpTokens). By utilising session-oriented token requests, IMDSv2 alleviates the previous IMDSv1 security vulnerabilities.

How to Configure IMDSv2

As at the time of writing, in order to configure IMDS to use v2, there is no explicit way of setting this using CloudFormation. You can only set the version when creating the instance within the Console (via ClickOps).

However, setting the version manually, doesn’t provide much flexibility. One approach is via the AWS CLI commands. There are three commands that can be used to either modify, remove or restore IMDS endpoints of an EC2 instance. Below are three shell scripts that I have created that execute those CLI commands.

Pre-Requisites

Before running the scripts, there are a few housekeeping items to address beforehand:

  1. You will need an AWS Account. The free tier will work, but ensure that the instances that you instantiate are free tier eligible.
  2. You will need to configure your AWS CLI to use your AWS Account
    https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-configure.html


Before running the script, I instantiated three EC2 instances (using the default settings) which will be used to configure IMDS to V2.

Modify Instances to use IMDSv2

Within this script, the user would have to pass in the EC2 Instance ID that they want to enable IMDSv2 on. The script will perform some basic error handling to ensure that the ID is not blank. If the check passes, the script will run the AWS CLI command, where it will configure IMDSv2 on the instance. 


Once the command has been executed, we will be able to confirm whether the command was successful by checking the instance metadata options returned by the script. Check the HttpEndpoint attribute is set to enabled and that HttpTokens is also set to required. If these are set, then the instance is running IMDSv2.

Modify IMDS Script Example

After running the command, users can view the instance metadata options returned by the script to validate whether the script executed correctly.

Disable IMDS on EC2 Instances

Once again, the user would have to pass in the EC2 Instance ID that they want to disable IMDS on. The script will perform some basic error handling to ensure that the ID is not blank. If the check passes, the script will run the AWS CLI command, where it will disable IMDS on the instance. 

Once the command has been executed, check the HttpEndpoint attribute is set to disabled. If set, then access to the IMDS endpoint is disabled.

Disable IMDS Script Example

After running the command, users can view the instance metadata options to validate whether the script executed correctly (by checking that the HttpEndpoint is disabled).

Restore IMDSv1 to Instances

Again, the user would have to pass in the EC2 Instance ID that they want to restore IMDS on. The script will perform some basic error handling to ensure that the ID is not blank. If the check passes, the script will run the AWS CLI command, where it will restore IMDSv1 on the instance. 

Once the command has been executed, check that HttpTokens is set to optional as well as HttpEndpoints set to enabled. If set, then the IMDS has been restored to v1.

Restore IMDS Script Example

After running the command, users can view the instance metadata options to validate whether the script executed correctly.

CONCLUSION

In this post, I have explained what Instance Metadata Service is as well as demonstrated how to configure your EC2 instances to use IMDSV2 through the three helper scripts. In the second part of the blog post series, I will explain and demonstrate how users can automate these scripts by creating SSM Documents within a CloudFormation template and, by integrating a tagging system, enable the Run Documents to call the corresponding script (modify, disable or restore) based on the specified tag of the instance.