Instance metadata service best practices
Learn how to automate enforcement of the more secure IMDSv2 standard.
Remote Access Using SSH Cryptographic Keys
Ensure your cloud instances limit the authentication and network hops required to retrieve valuable instance metadata. Simple configurations can mitigate costly data breaches, in just a few clicks.
This post looks at Amazon EC2 Instance Metadata Service (IMDS) best practices and see how Turbot Guardrails can enforce them.
Traditional Workflow
Amazon EC2 Instance Metadata Service (IMDS) solves a security headache for cloud teams by providing access to temporary, frequently rotated credentials, removing the need to hardcode or distribute sensitive credentials to your instances. In November 2019 AWS released an updated version of the service named IMDSv2 that provides new protections for IMDS when host systems are insecurely configured.
With the thousands of changes that AWS releases every year it is easy to see how securing your instance metadata might not be on the top of developers minds, but it should be considered as a foundational security control and not deprioritized to the ever expanding “we’ll get to it later” queue. Waiting compounds the issue as remediation will become more complex as your environment grows; a simple configuration upfront can mitigate a large security remediation project to correct 1000s of instances later on.
Get it done with Turbot Guardrails
In Turbot Guardrails, IMDS governance controls are available to apply across all EC2 Instances. Set AWS > EC2 > Instance > Metadata Service
to Enforce: Enabled for V2 Only
, and AWS > EC2 > Instance > Metadata Service > HTTP Token Hop Limit
to 1
.
Create a new policy - limit the Hop limit: HTTP Token Hops define the number of network hops that the metadata token can travel. Hop Limit of ‘1’ ensures the packet is dropped leaving the EC2 instance, a limit of ‘2’ would be recommended in a container environment.
Create a new policy - enable IMDSv2: Requiring IMDSv2 will require a session-oriented retrieval of your instance metadata which will enhance your security posture. The latest AWS SDKs use IMDSv2 calls by default, and will revert to IMDSv1 after a few retries. When transitioning to IMDSv2, consider updating your SDKs and related tooling to the latest versions.
After setting the two policies, Turbot Guardrails automation will immediately start enforcing the new IMDSv2 on all your instances across all regions and accounts. To evaluate the impact of this in your environment first, we suggest setting the value to Check: Enabled for v2 Only
at the Turbot level, and then applying the enforcement setting to select development and sandbox environments.
Make it happen!
See for yourself how increasing your EC2 security posture is simply a few clicks to setup; the policy examples above are available as a Terraform template in the Turbot Development Kit (TDK). If you need any assistance, let us know in our Slack community #guardrails channel. If you are new to Turbot, connect with us to learn more!