VIEW RULE IN DATADOG VIEW MISCONFIGURATIONS

Description

Use the IMDSv2 session-oriented communication method to transport instance metadata.

For more information, see an in-depth explanation of what IMDSv2 is and why it matters.

AWS default configurations allow the use of either IMDSv1, IMDSv2, or both. IMDSv1 uses insecure GET request/responses which are at risk for a number of vulnerabilities. IMDSv2 uses session-oriented requests and a secret token that expires after a maximum of six hours. This adds protection against misconfigured-open website application firewalls, misconfigured-open reverse proxies, unpatched Server Side Request Forgery (SSRF) vulnerabilities, and misconfigured-open layer-3 firewalls and network address translation.

This check determines if the EC2 instance is attached to an Auto Scaling Group (ASG) and if that ASG sets IMDSv2 to the required settings with a launch configuration or template. If the instance is not part of an ASG that sets these parameters, this check looks at the EC2 instance’s standalone IMDSv2 settings to verify http_token is set to required, and state is applied.

Remediation

Follow the Transition to using Instance Metadata Service Version 2 docs to learn how to transition and reconfigure your software.