Kloudle
academy

How to update IMDSv1 to more secure IMDSv2 on AWS

Pragti Chauhan
#aws#cloudsecurity#imdsv2
Feature image

Introduction

Instance Metadata Service (IMDS) provides information about the instance itself and can be used to generate security credentials to access AWS. The service provides information about the instance like the instance ID, SSH public keys, and external and internal IP addresses. When an instance profile is attached to the instance, IMDS allows for the generation of temporary credentials that can be used to access other cloud resources.

Version 1 of IMDS is deemed to be insecure as there is no authentication requirement to fetch data from the IMDS endpoint. This can allow an attacker to gain access to sensitive information present within the metadata service.

Version 2 requires a token and is recommended to be used to prevent unauthorised access to the endpoint.

In this article we will walk through the steps to update an EC2 instance from IMDSv1 to IMDSv2 using AWS CLI.

Updating IMDSv1 to IMDSv2

You can also watch a quick hands-on video for updating IMDSv1 to IMDSv2.

https://youtu.be/AD9GCpL_KUY

To update your EC2 instance from IMDSv1 to IMDSv2 using AWS CLI, follow the steps below:

  1. To check the IMDS version for an instance, run following command

    aws ec2 describe-instances --region=<REGION> --query Reservations[*].Instances[*].MetadataOptions

    In our case, we can see two outputs in the following screenshot as we have two EC2 instances. Here we can see HTTP endpoint is enabled and HTTP Tokens is optional for both the instances, it means IMDS version 1 is enabled for both

    AWS EC2 describe instances

  2. To demonstrate how we can update an instance from IMDSv1 to IMDSv2, we will select one of these instances and note down its instance ID

    aws ec2 describe-instances --region=<REGION> --query Reservations[*].Instances[*].InstanceId

    AWS EC2 instance ID

    Or

    To get the full view of which instance has IMDSv1 or not you can also run the following command. This will give detailed information about all the EC2 instances in the selected region

    aws ec2 describe-instances --region=<REGION> --query Reservations[*].Instances

  3. To enable IMDS version 2 on the selected instance, run the following command. In the parameters, HTTP endpoint must be set as enabled and HTTP Tokens must be set as required

    aws ec2 modify-instance-metadata-options --instance-id <INSTANCE ID> --http-endpoint enabled --http-tokens required --region=<REGION>

  4. Run the command in Step 1 again to check if the instance has been successfully updated to IMDSv2 EC2 describe instances imdsv2

← Back to Academy