top of page

Why you should use IMDSv2


LEVEL: BASIC

 

It's essential to understand the potential risks associated with using various services and configurations within cloud environments. One configuration that may pose a risk is the use of IMDSv1 with Amazon Web Services (AWS) Elastic Compute Cloud (EC2). In this post, we'll discuss why it's dangerous to use IMDSv1 with AWS EC2 and why we should use IMDSv2 instead.


The Instance Metadata Service (IMDS) is a service provided by AWS that allows EC2 instances to access metadata about themselves, such as their instance ID, security groups, and IAM role.


IMDSv1 is dangerous to use with AWS EC2 because it lacks any built-in security features. The metadata endpoint is publicly accessible, which means that anyone who can reach the EC2 instance can potentially access the metadata. This can be a significant risk if an attacker gains access to the EC2 instance.



Suppose an attacker gains access to an EC2 instance that has access to a secret key stored in the instance metadata. They can then use this secret key to access other resources in the account, potentially leading to a full compromise of the environment. This is why it's essential to take measures to protect the metadata endpoint.


Example:


[<linux-user>@ip-xx-xx-xx-xx ~]$ curl -XGET http://169.254.169.254/latest/meta-data/iam/security-credentials/<role-name>

{

"Code" : "Success",

"LastUpdated" : "2023-02-27T16:46:31Z",

"Type" : "AWS-HMAC",

"AccessKeyId" : "super_secret_access_key_id",

"SecretAccessKey" : "super_secret_access_key",

"Expiration" : "2023-02-27T22:48:51Z"

}



IMDSv2 is the second version of the IMDS that was introduced in 2019. IMDSv2 provides several security features that make it safer to use with AWS EC2 instances.

IMDSv2 is safer to use with AWS EC2 instances because it provides several security features that make it more difficult for attackers to access sensitive data and resources.

  1. Encrypted Communications: IMDSv2 encrypts all communications between EC2 instances and the metadata endpoint, making it more difficult for attackers to intercept data.

  2. Enhanced IAM Integration: IMDSv2 integrates more closely with AWS IAM, allowing for more fine-grained control over access to the metadata endpoint.

  3. Session Authentication: IMDSv2 uses session authentication to ensure that requests to the metadata endpoint come from a valid session, making it more difficult for attackers to spoof requests.