AWS Config Rule: EC2 IMDS Instance v2 Enabled


Fernando Honig

Last Update 8 months ago

Description: Checks whether your Amazon Elastic Compute Cloud (Amazon EC2) instance metadata version is configured with Instance Metadata Service Version 2 (IMDSv2). The rule is NON_COMPLIANT if the HttpTokens is set to optional.

Trigger type: Configuration changes

AWS Region: All supported AWS regions except Asia Pacific (Jakarta), Africa (Cape Town), Asia Pacific (Hyderabad), Asia Pacific (Osaka), Asia Pacific (Melbourne), Europe (Milan), Europe (Spain), Europe (Zurich) Region

How to Resolve Manually

To resolve this manually, you can modify each instance Metadata Version option, and this can be done using the CLI or API.

How to Resolve with StackZone

You can resolve with StackZone by enabling the EC2 IMDSv2 Remediation.

Go to Provisioning -> Baseline Services -> AWS Config Rules Regional -> Amazon EC2 and enable EC2 Instance IMDS v2 Enabled Remediation

This will modify all instances in all regions.

Note: You should proceed cautiously and conduct careful testing before making any changes. Take note of the following:
If you enforce the use of IMDSv2, applications or agents that use IMDSv1 for instance metadata access will break.

Want to know more about StackZone and how to make your cloud management simple and secure?

Check our how it works section with easy to follow videos or just create your own StackZone Account here

Was this article helpful?

1 out of 1 liked this article

Still need help? Message Us