Ensure your cloud instances limit the authentication and network hops required to retrieve valuable instance metadata.  Simple configurations can mitigate costly data breaches, in just a few clicks.  This week we will look at Amazon EC2 Instance Metadata Service (IMDS) best practices and see how Turbot can enforce them. 

Traditional Workflow

Amazon EC2 Instance Metadata Service (IMDS) solves a security headache for cloud teams by providing access to temporary, frequently rotated credentials, removing the need to hardcode or distribute sensitive credentials to your instances. In November 2019 AWS released an updated version of the service named IMDSv2 that provides new protections for IMDS when host systems are insecurely configured. 

With the thousands of changes that AWS releases every year it is easy to see how securing your instance metadata might not be on the top of developers minds, but it should be considered as a foundational security control and not deprioritized to the ever expanding “we’ll get to it later” queue.  Waiting compounds the issue as remediation will become more complex as your environment grows; a simple configuration upfront can mitigate a large security remediation project to correct 1000s of instances later on.

Get it done with Turbot

In Turbot, IMDS governance controls are available to apply across all EC2 Instances.  Set `AWS > EC2 > Instance > Metadata Service` to `Enforce: Enabled for V2 Only`, and `AWS > EC2 > Instance > Metadata Service > HTTP Token Hop Limit` to `1`.

Create a new policy - limit the Hop limit:  HTTP Token Hops define the number of network hops that the metadata token can travel. Hop Limit of ‘1’ ensures the packet is dropped leaving the EC2 instance, a limit of ‘2’ would be recommended in a container environment.

Create a new policy - enable IMDSv2:  Requiring IMDSv2 will require a session-oriented retrieval of your instance metadata which will enhance your security posture.  The latest AWS SDKs use IMDSv2 calls by default, and will revert to IMDSv1 after a few retries. When transitioning to IMDSv2, consider updating your SDKs and related tooling to the latest versions.  

After setting the two policies, Turbot automation will immediately start enforcing the new IMDSv2 on all your instances across all regions and accounts.  To evaluate the impact of this in your environment first, we suggest setting the value to `Check: Enabled for v2 Only` at the Turbot level, and then applying the enforcement setting to select development and sandbox environments.

Make it happen

See for yourself how increasing your EC2 security posture is simply a few clicks to setup; the policy examples above are available as a Terraform template in the Turbot Development Kit (TDK).  If you need any assistance getting this configured in your environment please reach out to Turbot Support, and keep an eye on your inbox for another Turbot tip next week!

Cheers,

Bob