To improve defense against open firewalls, reverse proxies, and SSRF vulnerabilities, AWS has recently announced that new Amazon EC2 instance types will support only version 2 of the EC2 Instance Metadata Service (IMDSv2). For transition support, customers will still be able to enable IMDSv1.
IMDS provides access to temporary, frequently rotated credentials, removing the need to hardcode or distribute sensitive credentials to instances. Introduced in 2019, IMDSv2 requires a two-step process but provides additional layers of protection for different vulnerabilities: misconfigured website application firewalls, misconfigured reverse proxies, unpatched SSRF vulnerabilities, and misconfigured layer-3 firewalls and network address translation.
Abusing the AWS metadata service using SSRF vulnerabilities has been a known issue for many years and Jeff Barr, vice president and chief evangelist at AWS, explains the need for the change in default from mid-2024:
The v1 service uses a request/response access method and the v2 service uses a session-oriented method (...) Many applications and instances are already using and benefiting from IMDSv2, but the full range of benefits becomes available only when IMDSv1 is disabled at the AWS account level.
IMDSv2 requires the creation of a secret token using an HTTP PUT request, which must be used to query the metadata:
TOKEN=`curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600"`
curl http://169.254.169.254/latest/meta-data/profile -H "X-aws-ec2-metadata-token: $TOKEN"
Source: AWS Blog
Saju Sivaji, senior technical program manager at AWS Security, and Josh Levinson, principal product manager at AWS, recently explained how to get the full benefits of IMDSv2 and disable IMDSv1:
You won't be able to get the full benefits of IMDSv2 until you disable IMDSv1. While IMDS is provided by the instance itself, the calls to IMDS are from your software. This means your software must support IMDSv2 before you can disable IMDSv1.
In February 2024, AWS plans to introduce a new API function that will allow customers to control the use of IMDSv1 as the default at the account level. Barr adds:
You can already control IMDSv1 usage in an IAM policy (taking away and limiting existing permission), or as an SCP that is applied globally across an account, an organizational unit (OU), or an entire organization.
The new default and the timeline have been well-received by the community, with user HolaGuacamola commenting on Reddit:
Finally. We had to do a bunch of work to turn V1 off on all our instances for compliance.
IMDS is a common approach among cloud providers, with Microsoft recently documenting SQL techniques that attackers attempted to move laterally to a cloud environment.
AWS provides different tools to ease the transition to IMDSv2: the IMDS Packet Analyzer, an open-sourced tool that identifies and logs IMDSv1 calls from the instance's boot phase, the MetadataNoToken, a CloudWatch metric that tracks the number of calls using IMDSv1, and specific IAM policies and SCPs to make sure an instance can be launched only if configured to use IMDSv2.
All console "Quick Start" launches and Amazon Linux 2023 already uses IMDSv2 by default.