Why you should use IMDSv2

LEVEL: BASIC

It's essential to understand the potential risks associated with using various services and configurations within cloud environments. One configuration that may pose a risk is the use of IMDSv1 with Amazon Web Services (AWS) Elastic Compute Cloud (EC2). In this post, we'll discuss why it's dangerous to use IMDSv1 with AWS EC2 and why we should use IMDSv2 instead.

The Instance Metadata Service (IMDS) is a service provided by AWS that allows EC2 instances to access metadata about themselves, such as their instance ID, security groups, and IAM role.

IMDSv1 is dangerous to use with AWS EC2 because it lacks any built-in security features. The metadata endpoint is publicly accessible, which means that anyone who can reach the EC2 instance can potentially access the metadata. This can be a significant risk if an attacker gains access to the EC2 instance.

Suppose an attacker gains access to an EC2 instance that has access to a secret key stored in the instance metadata. They can then use this secret key to access other resources in the account, potentially leading to a full compromise of the environment. This is why it's essential to take measures to protect the metadata endpoint.

Example:

[<linux-user>@ip-xx-xx-xx-xx ~]$ curl -XGET http://169.254.169.254/latest/meta-data/iam/security-credentials/<role-name>

{

"Code" : "Success",

"LastUpdated" : "2023-02-27T16:46:31Z",

"Type" : "AWS-HMAC",

"AccessKeyId" : "super_secret_access_key_id",

"SecretAccessKey" : "super_secret_access_key",

"Expiration" : "2023-02-27T22:48:51Z"

}

IMDSv2 is the second version of the IMDS that was introduced in 2019. IMDSv2 provides several security features that make it safer to use with AWS EC2 instances.

IMDSv2 is safer to use with AWS EC2 instances because it provides several security features that make it more difficult for attackers to access sensitive data and resources.

1. Encrypted Communications: IMDSv2 encrypts all communications between EC2 instances and the metadata endpoint, making it more difficult for attackers to intercept data.

2. Enhanced IAM Integration: IMDSv2 integrates more closely with AWS IAM, allowing for more fine-grained control over access to the metadata endpoint.

3. Session Authentication: IMDSv2 uses session authentication to ensure that requests to the metadata endpoint come from a valid session, making it more difficult for attackers to spoof requests.

4. Time-bound Credentials: IMDSv2 provides time-bound credentials that can be used to access the metadata endpoint. These credentials automatically expire after a set period, reducing the risk of unauthorized access.

We can make use of the metadata endpoint with IMDSV2 like this:

TOKEN=`curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600"` \

&& curl -H "X-aws-ec2-metadata-token: $TOKEN" -v http://169.254.169.254/latest/meta-data/

Adding another layer of defense, IMDSv2 will also not issue session tokens to any caller with an X-Forwarded-For header, which is effective at blocking unauthorized access due to misconfigurations like an open reverse proxy.

Using IMDSv1 with AWS EC2 can be risky since it provides attackers with access to sensitive data and resources. By using IMDSv2, you can significantly reduce the risk of a compromise.

Happy coding and see you in the Cloud!

References:

• https://aws.amazon.com/blogs/security/defense-in-depth-open-firewalls-reverse-proxies-ssrf-vulnerabilities-ec2-instance-metadata-service/

• https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html

Juan Bermudez

Cloud Engineer

Teracloud

If you want to know more about Cloud Security, we suggest going check Best Security Practices, Well-Architected Framework

If you are interested in learning more about our #TeraTips or our blog's content, we invite you to see all the content entries that we have created for you and your needs. And subscribe to be aware of any news! 👇