AWS AWSEC2 high security documentation change
Summary
Added documentation for enforcing IMDSv2 at the account level across regions, including console/CLI/PowerShell implementations. Expanded IAM policy guidance to restrict metadata configuration changes. Added warnings about IMDSv2 enforcement impacts.
Security assessment
The changes explicitly document how to enforce IMDSv2 (a security hardening measure against SSRF vulnerabilities) at the account level, which blocks launching instances without IMDSv2. The added IAM policy restrictions prevent downgrading security configurations. The documentation directly addresses mitigating a known security weakness (IMDSv1 vulnerabilities).
Diff
diff --git a/AWSEC2/latest/UserGuide/configuring-IMDS-new-instances.md b/AWSEC2/latest/UserGuide/configuring-IMDS-new-instances.md index 6670f8c5a..afdd8ae93 100644 --- a//AWSEC2/latest/UserGuide/configuring-IMDS-new-instances.md +++ b//AWSEC2/latest/UserGuide/configuring-IMDS-new-instances.md @@ -35,0 +36,2 @@ You can use the following methods to require the use of IMDSv2 on your new insta + * Enforce IMDSv2 at the account level + @@ -203 +205 @@ PowerShell -Use the [Edit-EC2InstanceMetadataDefault](https://docs.aws.amazon.com/powershell/latest/reference/items/Edit-EC2InstanceMetadataDefault.html) command and specify the Region in which to modify the IMDS account level settings. Include `-HttpToken` set to `required` and `-HttpPutResponseHopLimit` set to `2` if your instances will host containers. Otherwise, specify `-1` to indicate no preference. When `-1` (no preference) is specified, at launch, the value defaults to `2` if the AMI has the setting `ImdsSupport: v2.0`; otherwise it defaults to `1`. +Use the [Edit-EC2InstanceMetadataDefault](https://docs.aws.amazon.com/powershell/latest/reference/items/Edit-EC2InstanceMetadataDefault.html) cmdlet and specify the Region in which to modify the IMDS account level settings. Include `-HttpToken` set to `required` and `-HttpPutResponseHopLimit` set to `2` if your instances will host containers. Otherwise, specify `-1` to indicate no preference. When `-1` (no preference) is specified, at launch, the value defaults to `2` if the AMI has the setting `ImdsSupport: v2.0`; otherwise it defaults to `1`. @@ -218 +220 @@ The following is example output. -Use the [Get-EC2InstanceMetadataDefault](https://docs.aws.amazon.com/powershell/latest/reference/items/Get-EC2InstanceMetadataDefault.html) command and specify the Region. +Use the [Get-EC2InstanceMetadataDefault](https://docs.aws.amazon.com/powershell/latest/reference/items/Get-EC2InstanceMetadataDefault.html) cmdlet and specify the Region. @@ -233 +235 @@ The following is example output. -Use the [Edit-EC2InstanceMetadataDefault](https://docs.aws.amazon.com/powershell/latest/reference/items/Edit-EC2InstanceMetadataDefault.html) Cmdlet to modify the IMDS account level settings for all Regions. Include `-HttpToken` set to `required` and `-HttpPutResponseHopLimit` set to `2` if your instances will host containers. Otherwise, specify `-1` to indicate no preference. When `-1` (no preference) is specified, at launch, the value defaults to `2` if the AMI has the setting `ImdsSupport: v2.0`; otherwise it defaults to `1`. +Use the [Edit-EC2InstanceMetadataDefault](https://docs.aws.amazon.com/powershell/latest/reference/items/Edit-EC2InstanceMetadataDefault.html) cmdlet to modify the IMDS account level settings for all Regions. Include `-HttpToken` set to `required` and `-HttpPutResponseHopLimit` set to `2` if your instances will host containers. Otherwise, specify `-1` to indicate no preference. When `-1` (no preference) is specified, at launch, the value defaults to `2` if the AMI has the setting `ImdsSupport: v2.0`; otherwise it defaults to `1`. @@ -260 +262,269 @@ Expected output -Use the [Get-EC2InstanceMetadataDefault](https://docs.aws.amazon.com/powershell/latest/reference/items/Get-EC2InstanceMetadataDefault.html) Cmdlet. +Use the [Get-EC2InstanceMetadataDefault](https://docs.aws.amazon.com/powershell/latest/reference/items/Get-EC2InstanceMetadataDefault.html) cmdlet. + + + (Get-EC2Region).RegionName | ` + ForEach-Object { + [PSCustomObject]@{ + Region = $_ + HttpPutResponseHopLimit = (Get-EC2InstanceMetadataDefault -Region $_).HttpPutResponseHopLimit + HttpTokens = (Get-EC2InstanceMetadataDefault -Region $_).HttpTokens + } + } | ` + Format-Table -AutoSize + +Example output + + + Region HttpPutResponseHopLimit HttpTokens + ------ ----------------------- ---------- + ap-south-1 2 required + eu-north-1 2 required + eu-west-3 2 required + ... + +### Enforce IMDSv2 at the account level + +You can enforce the use of IMDSv2 at the account level for each AWS Region. When enforced, instances can only launch if they're configured to require IMDSv2. This enforcement applies regardless of how the instance or AMI is configured. + +###### Note + +Before enabling IMDSv2 enforcement at the account level, ensure that your applications and AMIs support IMDSv2. For more information, see [Recommended path to requiring IMDSv2](./instance-metadata-transition-to-version-2.html#recommended-path-for-requiring-imdsv2). If IMDSv2 enforcement is enabled and `httpTokens` is not set to `required` in either the instance configuration at launch, the account settings, or the AMI configuration, the instance launch will fail. For troubleshooting information, see [Launching an IMDSv1-enabled instance fails](./troubleshooting-launch.html#launching-an-imdsv1-enabled-instance-fails). + +###### Note + +This setting does not change the IMDS version of existing instances, but blocks enabling IMDSv1 on existing instances that currently have IMDSv1 disabled. + +Console + + +###### To enforce IMDSv2 for the account in the specified Region + + 1. Open the Amazon EC2 console at [https://console.aws.amazon.com/ec2/](https://console.aws.amazon.com/ec2/). + + 2. To change the AWS Region, use the Region selector in the top right corner of the page. + + 3. In the navigation pane, choose **EC2 Dashboard**. + + 4. Under **Account attributes** , choose **Data protection and security**. + + 5. Next to **IMDS defaults** , choose **Manage**. + + 6. On the **Manage IMDS defaults** page, do the following: + + 1. For **Metadata version** , choose **V2 only (token required)**. + + 2. For **Enforce IMDSv2** , choose **Enabled**. + + 3. Choose **Update**. + + + + +AWS CLI + + +###### To enforce IMDSv2 for the account in the specified Region + +Use the [modify-instance-metadata-defaults](https://docs.aws.amazon.com/cli/latest/reference/ec2/modify-instance-metadata-defaults.html) command and specify the Region in which to enforce IMDSv2. + + + aws ec2 modify-instance-metadata-defaults \ + --region us-east-1 \ + --http-tokens required \ + --http-tokens-enforced enabled + +The following is example output. + + + { + "Return": true + } + +###### To view the IMDSv2 enforcement setting for the account in a specific Region + +Use the [get-instance-metadata-defaults](https://docs.aws.amazon.com/cli/latest/reference/ec2/get-instance-metadata-defaults.html) command and specify the Region. + + + aws ec2 get-instance-metadata-defaults --region us-east-1 + +The following is example output. + + + { + "AccountLevel": { + "HttpTokens": "required", + "HttpTokensEnforced": "enabled" + }, + "ManagedBy": "account" + } + +The `ManagedBy` field indicates the entity that configured the settings. In this example, `account` indicates that the settings were configured directly in the account. A value of `declarative-policy` would mean the settings were configured by a declarative policy. For more information, see [Declarative policies](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_declarative.html) in the _AWS Organizations User Guide_. + +###### To enforce IMDSv2 for the account for all Regions + +Use the [modify-instance-metadata-defaults](https://docs.aws.amazon.com/cli/latest/reference/ec2/modify-instance-metadata-defaults.html) command to enforce IMDSv2 in all Regions. + + + echo -e "Region \t Modified" ; \ + echo -e "-------------- \t ---------" ; \ + for region in $( + aws ec2 describe-regions \ + --region us-east-1 \ + --query "Regions[*].[RegionName]" \ + --output text + ); + do (output=$( + aws ec2 modify-instance-metadata-defaults \ + --region $region \ + --http-tokens-enforced enabled \ + --output text) + echo -e "$region \t $output" + ); + done + + +The following is example output. + + + Region Modified + -------------- --------- + ap-south-1 True + eu-north-1 True + eu-west-3 True + ... + +###### To view the IMDSv2 enforcement settings for the account in all Regions + +Use the [get-instance-metadata-defaults](https://docs.aws.amazon.com/cli/latest/reference/ec2/get-instance-metadata-defaults.html) command. + + + echo -e "Region \t Level HttpTokensEnforced" ; \ + echo -e "-------------- \t ------------ ----------------" ; \ + for region in $( + aws ec2 describe-regions \ + --region us-east-1 \ + --query "Regions[*].[RegionName]" \ + --output text + ); + do (output=$( + aws ec2 get-instance-metadata-defaults \ + --region $region \ + --query 'AccountLevel.HttpTokensEnforced' \ + --output text) + echo -e "$region \t ACCOUNTLEVEL $output" + ); + done + +The following is example output. + + + Region Level HttpTokensEnforced + -------------- ------------ ------------------ + ap-south-1 ACCOUNTLEVEL enabled + eu-north-1 ACCOUNTLEVEL enabled + eu-west-3 ACCOUNTLEVEL enabled + ... + +PowerShell + + +###### To enforce IMDSv2 for the account in the specified Region + +Use the [Edit-EC2InstanceMetadataDefault](https://docs.aws.amazon.com/powershell/latest/reference/items/Edit-EC2InstanceMetadataDefault.html) cmdlet and specify the Region in which to enforce IMDSv2. + + + Edit-EC2InstanceMetadataDefault ` + -Region us-east-1 ` + -HttpToken required ` + -HttpPutResponseHopLimit 2 + +The following is example output. + +