EC2 instances should enforce IMDSv2
Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel,
n'hésitez pas à nous contacter.
Description
Use the IMDSv2 session-oriented communication method to transport instance metadata.
For more information, you can also refer to our in-depth explanation of what IMDSv2 is and why it matters.
Rationale
AWS default configurations allow the use of either IMDSv1, IMDSv2, or both. IMDSv1 uses insecure GET request/responses which are at risk for a number of vulnerabilities, whereas IMDSv2 uses session-oriented requests and a secret token that expires after a maximum of six hours. This adds protection against misconfigured-open website application firewalls, misconfigured-open reverse proxies, unpatched Server Side Request Forgery (SSRF) vulnerabilities, and misconfigured-open layer-3 firewalls and network address translation.
Follow the Transition to using Instance Metadata Service Version 2 docs to learn how to transition and reconfigure your software.