EC2 IMDSv1 enabled

AWS-EC2-004 is an AWS security check performed by cloud-audit, an open-source AWS security scanner. Checks for running EC2 instances that allow IMDSv1 (HttpTokens not set to 'required'). IMDSv1 is vulnerable to SSRF attacks.

Why it matters

IMDSv1 is vulnerable to Server-Side Request Forgery (SSRF) attacks that can steal IAM role credentials from the instance metadata service. The 2019 Capital One breach exploited exactly this weakness - an SSRF in a WAF configuration allowed the attacker to query the metadata endpoint at 169.254.169.254, steal temporary credentials, and access 100 million customer records. AWS introduced IMDSv2 with session tokens specifically to prevent this attack vector. Enforcing IMDSv2 (HttpTokens=required) blocks simple SSRF exploits because they cannot initiate the required PUT request to obtain a session token.

Common causes

IMDSv1 remains the default on older instance types and AMIs created before 2020. Teams that use custom AMIs or launch configurations created years ago inherit IMDSv1 without realizing it. Auto Scaling groups are particularly prone because the launch template may predate IMDSv2 enforcement, and updating requires creating a new launch template version.

Detection

Run cloud-audit to detect this issue:

pip install cloud-audit
cloud-audit scan -R

The -R flag includes remediation details for every finding, including this one.

Remediation: AWS CLI

aws ec2 modify-instance-metadata-options --instance-id INSTANCE_ID --http-tokens required --http-endpoint enabled --region REGION

Remediation: Terraform

resource "aws_instance" "example" {
  metadata_options {
    http_tokens   = "required"
    http_endpoint = "enabled"
  }
}