AWS Security - Enforcing IMDSv2 for Launching EC2 Instances Safely
We can enhance AWS account security by enforcing IMDSv2 instead of IMDSv1 for launching EC2 instances safely
In this blog post, we will explore the significance of protecting AWS accounts and discuss best practices to enforce launching EC2 instances using the metadata service version 2 [IMDSv2]
1. Understanding the EC2 Metadata and Metadata service
Instance metadata is data about your instance that you can use to configure or manage the running instance. Instance metadata is divided into categories, for example, host name, events, and security groups.
You can access instance metadata from a running instance using one of the following methods:
Instance Metadata Service Version 1 (IMDSv1) — a request/response method
Instance Metadata Service Version 2 (IMDSv2) — a session-oriented method
By default, you can use either IMDSv1 or IMDSv2, or both.
2. What is IMDSv2
IMDS (Instance Metadata Service) provides temporary security credentials and metadata to EC2 instances. IMDSv2 (Instance Metadata Service v2) improves security by requiring session tokens for access and enforcing additional protections against unauthorized access.
EC2 --> Launch Instance --> Advanced details --> Metadata version
3. Transition to using Instance Metadata Service Version 2
Once you identity servers using IMDSv1, you can follow steps provided in the following documentation to transition using IMDSv2.
4. Conclusion
Protecting AWS accounts from potential vulnerabilities associated with the EC2 metadata service version 1 (IMDSv1) is paramount for ensuring a robust security posture in the cloud.