Enhancing AWS Security: Upgrading AWS IMDS from v1 to v2

Hello everyone I hope you guys are contributing well to fixing security issues on the cloud side. Welcome to a new blog series Enhancing AWS Security. In this series, I will write blogs on hardening security in your cloud.

Today, I am going to walk through you upgrading your Instance Metadata Service version to protect your instance from exposure of IAM credentials by exploiting Server Side Request Forgery(SSRF).

What is IMDS ?

IMDS stands for Instance Metadata Service as the word says metadata, It’s a service that contains metadata about the instance.

Understanding the Need for Instance Metadata Service

IMDS is having metadata information about your instances which is used to configure/manage your ec2 instances. You can use IMDS to retrieve metadata of your instances within the instances. It contains sensitive information such as IAM credentials, events, metrics, services, security groups, public keys etc.

Why Transitioning to IMDSv2 is Essential ?

IMDSv1: IMDSv1 is a request/response method means no token is required to access the sensitive information within your instances. If your web application is vulnerable to SSRF(Server Side Request Forgery) then the malicious actor will fetch metadata of the instances by simply using http://169.254.169.254/latest/meta-data/ on the vulnerable parameter. The malicious actor can retrive IAM credentials by exploiting the issue.

http://169.254.169.254/latest/meta-data/iam/security-credentials/role-name/

IMDSv2: IMDSv2 is a session-oriented method. First, you have to generate a token to retrieve the metadata of the instances. Generation of token requires PUT request to http://169.254.169.254/latest/api/token

IMDSv2 is more secure than IMDSv1. Upgrading it to v2 ensures protection on metadata of instances even if there is SSRF on your web application.

IMDS is having sensitive information so it’s our responsibility to protect it from the bad actors.

Let’s Upgrade IMDS from v1 to v2

To upgrade the IMDS version, I will suggest upgrading using your IAM CLI credentials or IAM access key and access secret. You can create one by below steps:

1. In your AWS console navigate to IAM
2. In access management click on users
3. Open your user and go to security credentials
4. click on Create access key to generate one

Make sure you are having the privilege to create one.

After having the access key and secret, configure aws cli in your local environment.

Now let’s start upgrading the IMDS of instances.

You need instance id of the instances to upgrade it.

1. Run the following command in your terminal

aws ec2 describe-instances --instance-ids <enter-your-instanced-id>

The command will describe the instances and in MetadataOptions you will see that the value of HttpTokens is optional.

2. Run the following command to change the value of HttpTokens

aws ec2 modify-instance-metadata-options --instance-id <enter-your-instanced-id> --http-tokens required --http-endpoint enabled --http-put-response-hop-limit 1

The command will change the value of HttpTokens from Optional to HttpTokens and also enable PutResponseHopLimit to the metadata service.

3. Again run the first command to verify whether metadata is upgraded or not.

aws ec2 describe-instances --instance-ids <enter-your-instanced-id>

You can see that the value of HttpTokens is now required, which ensures that you need a token to access instance metadata.

You will get an Unauthorized message If you try to access the metadata of instances without a token.

Thanks for reading, hope you learned something new. Do clap and share if you like. Stay tuned for my next write-up. Happy Hacking!

Twitter: 7he_unlucky_guy
Linkedin: Vijeta