[EC2.8]
EC2 instances should use IMDSv2
Description
All EC2 instances must have metadata version configured with Instance Metadata Service Version 2 (IMDSv2). IMDS removes the need to hard code sensitive credentials to instances by providing access to temporary, frequently rotated credentials. To make this rule COMPLIANT, you must set HTTP tokens to be required for IMDSv2.
Details
| Property | Value |
|---|---|
| Category | Protect > Network security |
| Compliance Control ID | EC2.8 |
| FortifyFox ID | FF100028 |
| Link | EC2.8 Compliance |
| Resource Type(s) | AWS::EC2::LaunchTemplate |
| Severity | High |
Remediation
Use the following CloudFormation templates to generate a luanch template for deploying an EC2 instance compliant with EC2.8
YAML Template
Resources:
ec2Template:
Type: AWS::EC2::LaunchTemplate
Properties:
LaunchTemplateData:
MetadataOptions:
HttpTokens: required
JSON Template
{
"Resources": {
"ec2Template": {
"Type": "AWS::EC2::LaunchTemplate",
"Properties": {
"LaunchTemplateData": {
"MetadataOptions": {
"HttpTokens": "required"
}
}
}
}
}
}