Listen to this Post
The Instance Metadata Service (IMDS) in AWS provides critical information about EC2 instances, including network configurations, IAM roles, and other contextual data. AWS offers two versions: IMDSv1 (legacy) and IMDSv2 (more secure). While IMDSv2 is recommended, AWS does not enforce it by default.
What is IMDS?
IMDS is a REST-based service accessible from within an EC2 instance at `http://169.254.169.254`. It helps retrieve dynamic instance metadata without exposing credentials.
Key Differences Between IMDSv1 and IMDSv2
- IMDSv1: Uses simple HTTP requests (GET/PUT).
- IMDSv2: Requires a session token, reducing SSRF and unauthorized access risks.
How to Enable IMDSv2 on an EC2 Instance
1. Using AWS CLI:
aws ec2 modify-instance-metadata-options \ --instance-id <INSTANCE_ID> \ --http-tokens required \ --http-endpoint enabled
2. Via AWS Console:
- Go to EC2 Dashboard → Select instance → Actions → Instance Settings → Modify Metadata Options.
- Set Metadata version to V2 only (required).
You Should Know: Retrieving Metadata in IMDSv2
To fetch metadata securely in IMDSv2, first obtain a session token:
TOKEN=$(curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600")
Then use the token to request metadata:
curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/
Critical Security Considerations
- Disable IMDSv1 to prevent SSRF attacks:
aws ec2 modify-instance-metadata-options \ --instance-id <INSTANCE_ID> \ --http-tokens required \ --http-endpoint enabled \ --http-put-response-hop-limit 1
- Restrict IMDS access in IAM policies.
Expected Output: Sample Metadata Retrieval
$ curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/iam/info
{
"Code": "Success",
"LastUpdated": "2023-10-05T12:00:00Z",
"InstanceProfileArn": "arn:aws:iam::123456789012:instance-profile/ExampleRole"
}
What Undercode Say
AWS IMDS is a powerful but often misconfigured service. Always enforce IMDSv2 to mitigate security risks. Use Linux commands like `curl` and AWS CLI to manage metadata securely. For automation, integrate these checks in cloud-init scripts:
!/bin/bash TOKEN=$(curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600") INSTANCE_ID=$(curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/instance-id) echo "Instance ID: $INSTANCE_ID"
For Windows EC2 instances, use PowerShell:
$token = (Invoke-WebRequest -Uri "http://169.254.169.254/latest/api/token" -Method PUT -Headers @{"X-aws-ec2-metadata-token-ttl-seconds" = "21600"}).Content
$metadata = (Invoke-WebRequest -Uri "http://169.254.169.254/latest/meta-data/" -Headers @{"X-aws-ec2-metadata-token" = $token}).Content
Write-Output $metadata
Expected Output:
A secure, well-configured IMDSv2 setup with enforced token-based access and minimized attack surface.
Reference:
References:
Reported By: Darryl Ruggles – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
