~ 2 min read

How to update IMDSv1 to more secure IMDSv2 on AWS

Having IMDSv1 enabled on your instances allows attackers to use vulnerabilities like SSRF to gain access to sensitive information of your instances. In this article we will walk through the steps to update an EC2 instance from IMDSv1 to IMDSv2 using AWS CLI.

Introduction

Instance Metadata Service (IMDS) provides information about the instance itself and can be used to generate security credentials to access AWS. The service provides information about the instance like the instance ID, SSH public keys, and external and internal IP addresses. When an instance profile is attached to the instance, IMDS allows for the generation of temporary credentials that can be used to access other cloud resources.

Version 1 of IMDS is deemed to be insecure as there is no authentication requirement to fetch data from the IMDS endpoint. This can allow an attacker to gain access to sensitive information present within the metadata service.

Version 2 requires a token and is recommended to be used to prevent unauthorised access to the endpoint.

In this article we will walk through the steps to update an EC2 instance from IMDSv1 to IMDSv2 using AWS CLI.

Updating IMDSv1 to IMDSv2

You can also watch a quick hands-on video for updating IMDSv1 to IMDSv2.

https://youtu.be/AD9GCpL_KUY 

To update your EC2 instance from IMDSv1 to IMDSv2 using AWS CLI, follow the steps below:

  1. To check the IMDS version for an instance, run following command

aws ec2 describe-instances —region= —query Reservations[*].Instances[*].MetadataOptions

In our case, we can see two outputs in the following screenshot as we have two EC2 instances. Here we can see HTTP endpoint is enabled and HTTP Tokens is optional for both the instances, it means IMDS version 1 is enabled for both instances

2. To demonstrate how we can update an instance from IMDSv1 to IMDSv2, we will select one of these instances and note down its instance ID

aws ec2 describe-instances —region= —query Reservations[*].Instances[*].InstanceId

Or

To get the full view of which instance has IMDSv1 or not you can also run the following command. This will give detailed information about all the EC2 instances in the selected region

aws ec2 describe-instances —region= —query Reservations[*].Instances

  1. To enable IMDS version 2 on the selected instance, run the following command. In the parameters, HTTP endpoint must be set as enabled and HTTP Tokens must be set as required

aws ec2 modify-instance-metadata-options —instance-id —http-endpoint enabled —http-tokens required —region=

  1. Run the command in Step 1 again to check if the instance has been successfully updated to IMDSv2

# ***

;