Cloud Security

IMDSv2

Version 2 of the AWS EC2 Instance Metadata Service, which requires session-based tokens for metadata access and eliminates the Server-Side Request Forgery vulnerability inherent in IMDSv1.

The AWS EC2 Instance Metadata Service (IMDS) provides instances with information including IAM role credentials. IMDSv1, accessed via simple HTTP GET to 169.254.169.254, was vulnerable to Server-Side Request Forgery attacks: any SSRF flaw in an application running on an EC2 instance could be exploited to steal the instance's IAM role credentials. This vector was used in the 2019 Capital One breach.

IMDSv2 introduces a session token requirement. To access metadata, a client must first issue a PUT request to obtain a token, then include that token in subsequent GET requests. SSRF vulnerabilities that can only issue GET requests cannot retrieve a token and therefore cannot access metadata.

AWS now defaults new instances to IMDSv2 in most regions, but existing instances and instances launched from older AMIs may still allow IMDSv1. Enforce IMDSv2 at the account level via a Service Control Policy requiring aws:MetadataHttpTokens to be required.

See: The 7 AWS Misconfigurations We Find in Every Enterprise Audit.

← Back to Glossary