TL;DR If you are just interested in how to enable this feature, go to “How do we enable and test this new feature”

This blogpost is about a recently released update to AWS EC2 instance metadata service (IMDSv2) for improving security and adding an additional defence in depth layer. In this post you will learn how to migrate an EC2 instance to IMDSv2. We will also cover how to rollback the change to IMDSv1 in case you face any issues.

Why did AWS release Version 2 of AWS EC2 Instance Metadata service (IMDSv2)

In mid-November 2019, AWS released an update to EC2 instance metadata service which is used for querying instance metadata values. This new release according to AWS is a defence in depth against open firewalls, reverse proxies and SSRF vulnerabilities. IMDSv2 needs a session token for making any request to the service. This token can only be obtained by making a specific request using the HTTP PUT method.

The service which was initially introduced a decade ago in 2009, has been widely used to exploit Server Side Request Forgery (SSRF) vulnerabilities in web applications running on EC2. Any security tester who ever found a vulnerability in an application running on EC2 were able to call the version 1 of instance metadata service to discover AWS STS token and find out more about privileges and Identity Access Management (IAM) roles it has. The metadata endpoint runs on a link-local IP address and uses HTTP GET requests.

With the new update, AWS has introduced a token based authentication for requesting data with the endpoint and in order to get the token a separate PUT request must be made. According to IMDSv2 introduction blog post, AWS looked at multiple real-world attacks. This combination of getting the token secret first and then further using the token to perform successive requests helps in mitigating most SSRF attacks.

The move to using HTTP PUT method to initiate the session is to protect against misconfigured Web Application Firewall (WAF) that allows requests to EC2 instances. Most open WAFs do not support PUT requests.

AWS released a useful CloudWatch metric for discovering all the instances that access metadata endpoint without any token.

How do we enable the security token to test IMDSv2