Documentation inspired by Cloudnaut.io and Praveen Kumar
What does IMDS stand for and what does each version achieve?
- "Instance Metadata Service Version 1 (IMDSv1) – a request/response method"
- "Instance Metadata Service Version 2 (IMDSv2) – a session-oriented method"Background information
- We can only retrieve metadata of an EC2 instance from within the instance. Metadata can include identity credentials, iam, metrics, public keys, security groups, and a whole lot more. As you can tell this information is pretty sensitive and it can easily be accessed if someone gets hold of the instance.
Problem with IMDSv1
- No authentication enabled to retrieve metadata from the instance
Solution with IMDSv2
- Now a token is required when requesting the metadata. This version 2 is also session-based as the token will expire after a period of time
How to upgrade existing EC2 Metadata version to 2
- Get the instance-ids of the ec2 instances that needs this update and copy to clipboard. The instance-ids that needs the upgrade can be found in your trusted advisor if you have the checks enabled
2. Execute the following command in your AWS Cloudshell and replace the instance-id parameter. This command will describe your instance specified. Verify the MetadataOptions parameter by pressing enter through the response.
aws ec2 describe-instances --instance-ids <enter-your-instanced-id>
3. As you see HttpTokens parameter is set to optional. We will be changing that. To exit the response, press Q on keyboard to come back to the terminal
4. Execute the following command by replacing the instance-id argument. Use the arguments as needed. This command will enable HTTPTokens and PutResponseHopLimit to the metadata service if not already
aws ec2 modify-instance-metadata-options --instance-id <enter-your-instanced-id> --http-tokens required --http-endpoint enabled --http-put-response-hop-limit 1http-tokens : “The state of token usage for your instance metadata requests.”
http-put-reponse-hop-limit : “The desired HTTP PUT response hop limit for instance metadata requests.”
Refer to the AWS CLI Command Reference
5. Now that we enabled the tokens. Lets verify the fields are similar by executing the following command in AWS Cloudshell. Be sure to replace the instance-id argument
aws ec2 describe-instances --instance-ids <enter-your-instanced-id>
6. Once you get a similar output as above — try to console into your instance and use the CURL command
curl http://169.254.169.254/latest/meta
Notice the unauthorized message. It’s safe to say that the upgrade has worked. There wouldn't be any unauthorized errors if the instance metadata service is in version 1.
7. To get instance metadata using version 2, execute the following commands. You will be requesting a token and storing that into a variable.
TOKEN=`curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600"`curl -H "X-aws-ec2-metadata-token: $TOKEN" -v http://169.254.169.254/latest/meta-data/
We are able to get the response to the requests with a provided token.
Summary
- IMDSv2 is a new recommended security best practice to enable on your instances. It provides another layer of security to access your instance metadata.
