{"id":18991,"date":"2022-05-09T09:21:01","date_gmt":"2022-05-09T17:21:01","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2022\/05\/09\/news-12724\/"},"modified":"2022-05-09T09:21:01","modified_gmt":"2022-05-09T17:21:01","slug":"news-12724","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2022\/05\/09\/news-12724\/","title":{"rendered":"How to secure your AWS EC2 Instance Metadata Service (IMDS)"},"content":{"rendered":"<p><strong>Credit to Author: Doug Aamoth| Date: Mon, 09 May 2022 15:45:12 +0000<\/strong><\/p>\n<div class=\"entry-content lg:prose-lg mx-auto prose max-w-4xl\">\n<p>If you&#8217;ve got apps running in AWS, you may be using Amazon&#8217;s EC2 Instance Metadata Service (IMDS) to rotate credentials instead of hardcoding them or manually distributing them periodically.<\/p>\n<p>Version 2 of IMDS was released in late 2019 and it&#8217;s now strongly advised that it be used instead of the original version.<\/p>\n<p>This is because misconfigured-open WAFs, misconfigured-open reverse proxies, unpatched SSRF vulnerabilities, and misconfigured-open layer-3 firewalls and network address translation could allow attackers unauthorized access to your network and internal resources, including making calls to the EC2 Instance Metadata Service (IMDS) v1 to discover more about privileges and IAM roles.<\/p>\n<p>While IMDSv1 leveraged a request\/response method, the new version (IMDSv2) protects every request by session authentication.<\/p>\n<p><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/05\/optix.png\"><img decoding=\"async\" loading=\"lazy\" class=\"wp-image-84470 size-medium alignright\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/05\/optix.png?w=300\" alt=\"\" width=\"300\" height=\"237\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/05\/optix.png 1601w, https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/05\/optix.png?resize=300,237 300w, https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/05\/optix.png?resize=768,608 768w, https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/05\/optix.png?resize=1024,810 1024w, https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/05\/optix.png?resize=1536,1216 1536w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a>With Sophos Cloud Optix, we make it easy to detect EC2 instances that have version 1 of the Instance Metadata Service (IMDS) enabled and have IAM roles assigned to them. The rule can be found as part of the Sophos Best Practices policy for AWS, available to Cloud Optix Advanced customers.<\/p>\n<p>If you&#8217;re already using Sophos Cloud Optix Advanced, click into the Policies section to find the Sophos Best Practices policy. Expand the Endpoint Security section, then ensure that rule\u00a0AR-1052\u00a0is enabled.<\/p>\n<p>And if you&#8217;re not using Cloud Optix, head to <a href=\"http:\/\/sophos.com\/optix\" target=\"_blank\" rel=\"noopener\">sophos.com\/optix<\/a> to learn more and start a free 30-day trial. Current Sophos customers can also start an Optix trial right from Sophos Central under the <a href=\"https:\/\/central.sophos.com\/manage\/central\/products\" target=\"_blank\" rel=\"noopener\">Free Trials section<\/a> at the bottom of the left navigation.<\/p>\n<\/p><\/div>\n<p><a href=\"https:\/\/news.sophos.com\/en-us\/2022\/05\/09\/how-to-secure-your-aws-ec2-instance-metadata-service-imds\/\" target=\"bwo\" >http:\/\/feeds.feedburner.com\/sophos\/dgdY<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2019\/12\/cloud-optix.png\"\/><\/p>\n<p><strong>Credit to Author: Doug Aamoth| Date: Mon, 09 May 2022 15:45:12 +0000<\/strong><\/p>\n<p>With Sophos Cloud Optix, we make it easy to detect EC2 instances that have version 1 of the Instance Metadata Service (IMDS) enabled and have IAM roles assigned to them.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10378,10377],"tags":[12010,11728,21508,24562],"class_list":["post-18991","post","type-post","status-publish","format-standard","hentry","category-security","category-sophos","tag-aws","tag-cloud","tag-cloud-optix","tag-products-services"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/18991","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=18991"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/18991\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=18991"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=18991"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=18991"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}