Instance Uses Metadata Service IMDSv1
- Query id: a4f5f706-80fd-4c96-9a24-6ab317d33d24
- Query name: Instance Uses Metadata Service IMDSv1
- Platform: CloudFormation
- Severity: Low
- Category: Insecure Configurations
- CWE: 200
- Risk score: 1.0
- URL: Github
Description¶
Instance metadata can be accessed with both IMDSv1 or IMDSv2. Although, IMDSv2 service is a session-oriented service, granting additional protection against exposure of metadata information. That version should be used instead of IMDSv1 in order to mitigate those situations.
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
AWSTemplateFormatVersion: '2010-09-09'
Description: Example
Resources:
MyEC2Instance:
Type: AWS::EC2::Instance
Properties:
ImageId: ami-0abcdef1234567890
InstanceType: t3.micro
MyLaunchTemplate:
Type: AWS::EC2::LaunchTemplate
Properties:
LaunchTemplateName: MySecureLaunchTemplate
LaunchTemplateData:
ImageId: ami-0abcdef1234567890
InstanceType: t3.micro
Positive test num. 2 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Example",
"Resources": {
"MyEC2Instance": {
"Type": "AWS::EC2::Instance",
"Properties": {
"ImageId": "ami-0abcdef1234567890",
"InstanceType": "t3.micro",
"MetadataOptions": {
"HttpEndpoint": "enabled",
"HttpPutResponseHopLimit": 2,
"HttpProtocolIpv6": "disabled"
}
}
},
"MyLaunchTemplate": {
"Type": "AWS::EC2::LaunchTemplate",
"Properties": {
"LaunchTemplateName": "MySecureLaunchTemplate",
"LaunchTemplateData": {
"ImageId": "ami-0abcdef1234567890",
"InstanceType": "t3.micro",
"MetadataOptions": {
"HttpEndpoint": "enabled",
"HttpPutResponseHopLimit": 2,
"HttpProtocolIpv6": "disabled"
}
}
}
}
}
}
Positive test num. 3 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Example",
"Resources": {
"MyEC2Instance": {
"Type": "AWS::EC2::Instance",
"Properties": {
"ImageId": "ami-0abcdef1234567890",
"InstanceType": "t3.micro"
}
},
"MyLaunchTemplate": {
"Type": "AWS::EC2::LaunchTemplate",
"Properties": {
"LaunchTemplateName": "MySecureLaunchTemplate",
"LaunchTemplateData": {
"ImageId": "ami-0abcdef1234567890",
"InstanceType": "t3.micro"
}
}
}
}
}
Positive test num. 4 - yaml file
AWSTemplateFormatVersion: '2010-09-09'
Description: Example
Resources:
MyEC2Instance:
Type: AWS::EC2::Instance
Properties:
ImageId: ami-0abcdef1234567890
InstanceType: t3.micro
MetadataOptions:
HttpTokens: optional
HttpPutResponseHopLimit: 2
HttpProtocolIpv6: disabled
MyLaunchTemplate:
Type: AWS::EC2::LaunchTemplate
Properties:
LaunchTemplateName: MySecureLaunchTemplate
LaunchTemplateData:
ImageId: ami-0abcdef1234567890
InstanceType: t3.micro
MetadataOptions:
HttpTokens: optional
HttpPutResponseHopLimit: 2
HttpProtocolIpv6: disabled
Positive test num. 5 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Example",
"Resources": {
"MyEC2Instance": {
"Type": "AWS::EC2::Instance",
"Properties": {
"ImageId": "ami-0abcdef1234567890",
"InstanceType": "t3.micro",
"MetadataOptions": {
"HttpTokens": "optional",
"HttpPutResponseHopLimit": 2,
"HttpProtocolIpv6": "disabled"
}
}
},
"MyLaunchTemplate": {
"Type": "AWS::EC2::LaunchTemplate",
"Properties": {
"LaunchTemplateName": "MySecureLaunchTemplate",
"LaunchTemplateData": {
"ImageId": "ami-0abcdef1234567890",
"InstanceType": "t3.micro",
"MetadataOptions": {
"HttpTokens": "optional",
"HttpPutResponseHopLimit": 2,
"HttpProtocolIpv6": "disabled"
}
}
}
}
}
}
Positive test num. 6 - yaml file
AWSTemplateFormatVersion: '2010-09-09'
Description: Example
Resources:
MyEC2Instance:
Type: AWS::EC2::Instance
Properties:
ImageId: ami-0abcdef1234567890
InstanceType: t3.micro
MetadataOptions:
HttpEndpoint: enabled
HttpTokens: optional
HttpPutResponseHopLimit: 2
HttpProtocolIpv6: disabled
MyLaunchTemplate:
Type: AWS::EC2::LaunchTemplate
Properties:
LaunchTemplateName: MySecureLaunchTemplate
LaunchTemplateData:
ImageId: ami-0abcdef1234567890
InstanceType: t3.micro
MetadataOptions:
HttpEndpoint: enabled
HttpTokens: optional
HttpPutResponseHopLimit: 2
HttpProtocolIpv6: disabled
Positive test num. 7 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Example",
"Resources": {
"MyEC2Instance": {
"Type": "AWS::EC2::Instance",
"Properties": {
"ImageId": "ami-0abcdef1234567890",
"InstanceType": "t3.micro",
"MetadataOptions": {
"HttpEndpoint": "enabled",
"HttpTokens": "optional",
"HttpPutResponseHopLimit": 2,
"HttpProtocolIpv6": "disabled"
}
}
},
"MyLaunchTemplate": {
"Type": "AWS::EC2::LaunchTemplate",
"Properties": {
"LaunchTemplateName": "MySecureLaunchTemplate",
"LaunchTemplateData": {
"ImageId": "ami-0abcdef1234567890",
"InstanceType": "t3.micro",
"MetadataOptions": {
"HttpEndpoint": "enabled",
"HttpTokens": "optional",
"HttpPutResponseHopLimit": 2,
"HttpProtocolIpv6": "disabled"
}
}
}
}
}
}
Positive test num. 8 - yaml file
AWSTemplateFormatVersion: '2010-09-09'
Description: Example
Resources:
MyEC2Instance:
Type: AWS::EC2::Instance
Properties:
ImageId: ami-0abcdef1234567890
InstanceType: t3.micro
MetadataOptions:
HttpPutResponseHopLimit: 2
HttpProtocolIpv6: disabled
MyLaunchTemplate:
Type: AWS::EC2::LaunchTemplate
Properties:
LaunchTemplateName: MySecureLaunchTemplate
LaunchTemplateData:
ImageId: ami-0abcdef1234567890
InstanceType: t3.micro
MetadataOptions:
HttpPutResponseHopLimit: 2
HttpProtocolIpv6: disabled
Positive test num. 9 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Example",
"Resources": {
"MyEC2Instance": {
"Type": "AWS::EC2::Instance",
"Properties": {
"ImageId": "ami-0abcdef1234567890",
"InstanceType": "t3.micro",
"MetadataOptions": {
"HttpPutResponseHopLimit": 2,
"HttpProtocolIpv6": "disabled"
}
}
},
"MyLaunchTemplate": {
"Type": "AWS::EC2::LaunchTemplate",
"Properties": {
"LaunchTemplateName": "MySecureLaunchTemplate",
"LaunchTemplateData": {
"ImageId": "ami-0abcdef1234567890",
"InstanceType": "t3.micro",
"MetadataOptions": {
"HttpPutResponseHopLimit": 2,
"HttpProtocolIpv6": "disabled"
}
}
}
}
}
}
Positive test num. 10 - yaml file
AWSTemplateFormatVersion: '2010-09-09'
Description: Example
Resources:
MyEC2Instance:
Type: AWS::EC2::Instance
Properties:
ImageId: ami-0abcdef1234567890
InstanceType: t3.micro
MetadataOptions:
HttpEndpoint: enabled
HttpPutResponseHopLimit: 2
HttpProtocolIpv6: disabled
MyLaunchTemplate:
Type: AWS::EC2::LaunchTemplate
Properties:
LaunchTemplateName: MySecureLaunchTemplate
LaunchTemplateData:
ImageId: ami-0abcdef1234567890
InstanceType: t3.micro
MetadataOptions:
HttpEndpoint: enabled
HttpPutResponseHopLimit: 2
HttpProtocolIpv6: disabled
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
AWSTemplateFormatVersion: '2010-09-09'
Description: Example
Resources:
MyEC2Instance:
Type: AWS::EC2::Instance
Properties:
ImageId: ami-0abcdef1234567890
InstanceType: t3.micro
MetadataOptions:
HttpEndpoint: enabled
HttpTokens: required
HttpPutResponseHopLimit: 2
HttpProtocolIpv6: disabled
MyLaunchTemplate:
Type: AWS::EC2::LaunchTemplate
Properties:
LaunchTemplateName: MySecureLaunchTemplate
LaunchTemplateData:
ImageId: ami-0abcdef1234567890
InstanceType: t3.micro
MetadataOptions:
HttpEndpoint: enabled
HttpTokens: required
HttpPutResponseHopLimit: 2
HttpProtocolIpv6: disabled
Negative test num. 2 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Example",
"Resources": {
"MyEC2Instance": {
"Type": "AWS::EC2::Instance",
"Properties": {
"ImageId": "ami-0abcdef1234567890",
"InstanceType": "t3.micro",
"MetadataOptions": {
"HttpEndpoint": "enabled",
"HttpTokens": "required",
"HttpPutResponseHopLimit": 2,
"HttpProtocolIpv6": "disabled"
}
}
},
"MyLaunchTemplate": {
"Type": "AWS::EC2::LaunchTemplate",
"Properties": {
"LaunchTemplateName": "MySecureLaunchTemplate",
"LaunchTemplateData": {
"ImageId": "ami-0abcdef1234567890",
"InstanceType": "t3.micro",
"MetadataOptions": {
"HttpEndpoint": "enabled",
"HttpTokens": "required",
"HttpPutResponseHopLimit": 2,
"HttpProtocolIpv6": "disabled"
}
}
}
}
}
}
Negative test num. 3 - yaml file
AWSTemplateFormatVersion: '2010-09-09'
Description: Example
Resources:
MyEC2Instance:
Type: AWS::EC2::Instance
Properties:
ImageId: ami-0abcdef1234567890
InstanceType: t3.micro
MetadataOptions:
HttpTokens: required
HttpPutResponseHopLimit: 2
HttpProtocolIpv6: disabled
MyLaunchTemplate:
Type: AWS::EC2::LaunchTemplate
Properties:
LaunchTemplateName: MySecureLaunchTemplate
LaunchTemplateData:
ImageId: ami-0abcdef1234567890
InstanceType: t3.micro
MetadataOptions:
HttpTokens: required
HttpPutResponseHopLimit: 2
HttpProtocolIpv6: disabled
Negative test num. 4 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Example",
"Resources": {
"MyEC2Instance": {
"Type": "AWS::EC2::Instance",
"Properties": {
"ImageId": "ami-0abcdef1234567890",
"InstanceType": "t3.micro",
"MetadataOptions": {
"HttpTokens": "required",
"HttpPutResponseHopLimit": 2,
"HttpProtocolIpv6": "disabled"
}
}
},
"MyLaunchTemplate": {
"Type": "AWS::EC2::LaunchTemplate",
"Properties": {
"LaunchTemplateName": "MySecureLaunchTemplate",
"LaunchTemplateData": {
"ImageId": "ami-0abcdef1234567890",
"InstanceType": "t3.micro",
"MetadataOptions": {
"HttpTokens": "required",
"HttpPutResponseHopLimit": 2,
"HttpProtocolIpv6": "disabled"
}
}
}
}
}
}
Negative test num. 5 - yaml file
AWSTemplateFormatVersion: '2010-09-09'
Description: Example
Resources:
MyEC2Instance:
Type: AWS::EC2::Instance
Properties:
ImageId: ami-0abcdef1234567890
InstanceType: t3.micro
MetadataOptions:
HttpEndpoint: disabled
HttpTokens: optional
MyLaunchTemplate:
Type: AWS::EC2::LaunchTemplate
Properties:
LaunchTemplateName: MySecureLaunchTemplate
LaunchTemplateData:
ImageId: ami-0abcdef1234567890
InstanceType: t3.micro
MetadataOptions:
HttpEndpoint: disabled
HttpTokens: optional
Negative test num. 6 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Example",
"Resources": {
"MyEC2Instance": {
"Type": "AWS::EC2::Instance",
"Properties": {
"ImageId": "ami-0abcdef1234567890",
"InstanceType": "t3.micro",
"MetadataOptions": {
"HttpEndpoint": "disabled",
"HttpTokens": "optional"
}
}
},
"MyLaunchTemplate": {
"Type": "AWS::EC2::LaunchTemplate",
"Properties": {
"LaunchTemplateName": "MySecureLaunchTemplate",
"LaunchTemplateData": {
"ImageId": "ami-0abcdef1234567890",
"InstanceType": "t3.micro",
"MetadataOptions": {
"HttpEndpoint": "disabled",
"HttpTokens": "optional"
}
}
}
}
}
}