22

EC2 Config Rules

Last Update 3 months ago

AWS Config Rule: EC2 Managed Instance Platform Check AWS Config Rule: EC2 Stopped Instance AWS Config Rule: EC2 Instance Managed by SSM AWS Config Rule: EC2 Managed Instance Patch Compliance Status AWS Config Rule: EC2 Managed Instance Association Compliance Status

AWS Config Rule: EC2 IMDS Instance v2 Enabled

EC2_IMDSV2_CHECK

Fernando Honig

Last Update 10 months ago

Description: Checks whether your Amazon Elastic Compute Cloud (Amazon EC2) instance metadata version is configured with Instance Metadata Service Version 2 (IMDSv2). The rule is NON_COMPLIANT if the HttpTokens is set to optional.


Trigger type: Configuration changes


AWS Region: All supported AWS regions except Asia Pacific (Jakarta), Africa (Cape Town), Asia Pacific (Hyderabad), Asia Pacific (Osaka), Asia Pacific (Melbourne), Europe (Milan), Europe (Spain), Europe (Zurich) Region

How to Resolve Manually

To resolve this manually, you can modify each instance Metadata Version option, and this can be done using the CLI or API.

How to Resolve with StackZone

You can resolve with StackZone by enabling the EC2 IMDSv2 Remediation.


Go to Provisioning -> Baseline Services -> AWS Config Rules Regional -> Amazon EC2 and enable EC2 Instance IMDS v2 Enabled Remediation


This will modify all instances in all regions.

Note: You should proceed cautiously and conduct careful testing before making any changes. Take note of the following:
If you enforce the use of IMDSv2, applications or agents that use IMDSv1 for instance metadata access will break.

Want to know more about StackZone and how to make your cloud management simple and secure?

Check our how it works section with easy to follow videos or just create your own StackZone Account here

Was this article helpful?

1 out of 1 liked this article

Still need help? Message Us