Auto Scaling Group Enforces IMDSv2 or Disables Instance Metadata Service

Overview

This check ensures that your Auto Scaling launch configurations require Instance Metadata Service Version 2 (IMDSv2) or disable the metadata service entirely. IMDSv2 adds important security protections that prevent attackers from stealing credentials through common web vulnerabilities.

Risk

Without enforced IMDSv2, attackers can exploit Server-Side Request Forgery (SSRF) vulnerabilities to steal IAM role credentials from your EC2 instances. With stolen credentials, attackers can:

• Exfiltrate sensitive data from your AWS account
• Move laterally across your infrastructure
• Modify or delete resources
• Compromise your data confidentiality and integrity

This is a high severity finding because credential theft is one of the most impactful attacks in cloud environments.

Remediation Steps

Prerequisites

You need permission to create and modify Auto Scaling launch configurations in your AWS account. Typically this means having the autoscaling:CreateLaunchConfiguration and autoscaling:UpdateAutoScalingGroup permissions.

Important: Launch configurations cannot be modified after creation. You must create a new launch configuration with the correct settings, then update your Auto Scaling group to use it.

AWS Console Method

1. Open the EC2 console in the us-east-1 region
2. In the left navigation, scroll down to Auto Scaling and select Launch Configurations
3. Click Create launch configuration
4. Configure your settings:
   • Enter a Name for the new configuration
   • Select the same AMI and Instance type as your existing configuration
5. Scroll down to Advanced details and expand the section
6. Find the Metadata settings:
   • Set Metadata accessible to Enabled
   • Set Metadata version to V2 only (token required)
7. Complete the remaining configuration options and click Create launch configuration
8. Now update your Auto Scaling group to use the new configuration:
   • Go to Auto Scaling Groups in the left navigation
   • Select your Auto Scaling group
   • Click Edit in the Details section
   • Under Launch configuration, select your new IMDSv2-enforced configuration
   • Click Update

Alternative: If your instances do not need the metadata service at all, you can set Metadata accessible to Disabled instead.

AWS CLI (optional)

Create a new launch configuration with IMDSv2 enforced:

aws autoscaling create-launch-configuration \
  --region us-east-1 \
  --launch-configuration-name <your-new-config-name> \
  --image-id <your-ami-id> \
  --instance-type <your-instance-type> \
  --security-groups <your-security-group-id> \
  --metadata-options "HttpTokens=required,HttpEndpoint=enabled"

Replace the placeholders:

• <your-new-config-name> - A unique name for the new configuration
• <your-ami-id> - The AMI ID (e.g., ami-0abcdef1234567890)
• <your-instance-type> - Instance type (e.g., t3.micro)
• <your-security-group-id> - Security group ID (e.g., sg-0123456789abcdef0)

Then update your Auto Scaling group to use the new configuration:

aws autoscaling update-auto-scaling-group \
  --region us-east-1 \
  --auto-scaling-group-name <your-asg-name> \
  --launch-configuration-name <your-new-config-name>

To disable the metadata service entirely (if not needed):

aws autoscaling create-launch-configuration \
  --region us-east-1 \
  --launch-configuration-name <your-new-config-name> \
  --image-id <your-ami-id> \
  --instance-type <your-instance-type> \
  --security-groups <your-security-group-id> \
  --metadata-options "HttpEndpoint=disabled"

CloudFormation (optional)

AWSTemplateFormatVersion: '2010-09-09'
Description: Auto Scaling Launch Configuration with IMDSv2 enforced

Parameters:
  LaunchConfigName:
    Type: String
    Description: Name for the launch configuration
  ImageId:
    Type: AWS::EC2::Image::Id
    Description: AMI ID for instances
  InstanceType:
    Type: String
    Default: t3.micro
    Description: EC2 instance type
  SecurityGroupIds:
    Type: List<AWS::EC2::SecurityGroup::Id>
    Description: Security groups for instances

Resources:
  IMDSv2LaunchConfiguration:
    Type: AWS::AutoScaling::LaunchConfiguration
    Properties:
      LaunchConfigurationName: !Ref LaunchConfigName
      ImageId: !Ref ImageId
      InstanceType: !Ref InstanceType
      SecurityGroups: !Ref SecurityGroupIds
      MetadataOptions:
        HttpTokens: required
        HttpEndpoint: enabled

Outputs:
  LaunchConfigurationName:
    Description: Name of the created launch configuration
    Value: !Ref IMDSv2LaunchConfiguration

Deploy with:

aws cloudformation deploy \
  --region us-east-1 \
  --template-file template.yaml \
  --stack-name imdsv2-launch-config \
  --parameter-overrides \
    LaunchConfigName=my-imdsv2-config \
    ImageId=ami-0abcdef1234567890 \
    InstanceType=t3.micro \
    SecurityGroupIds=sg-0123456789abcdef0

Terraform (optional)

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 5.0"
    }
  }
}

provider "aws" {
  region = "us-east-1"
}

variable "launch_config_name" {
  description = "Name for the launch configuration"
  type        = string
}

variable "image_id" {
  description = "AMI ID for instances"
  type        = string
}

variable "instance_type" {
  description = "EC2 instance type"
  type        = string
  default     = "t3.micro"
}

variable "security_groups" {
  description = "List of security group IDs"
  type        = list(string)
}

resource "aws_launch_configuration" "imdsv2_enforced" {
  name            = var.launch_config_name
  image_id        = var.image_id
  instance_type   = var.instance_type
  security_groups = var.security_groups

  metadata_options {
    http_tokens   = "required"
    http_endpoint = "enabled"
  }

  lifecycle {
    create_before_destroy = true
  }
}

output "launch_configuration_name" {
  description = "Name of the created launch configuration"
  value       = aws_launch_configuration.imdsv2_enforced.name
}

Apply with:

terraform apply \
  -var="launch_config_name=my-imdsv2-config" \
  -var="image_id=ami-0abcdef1234567890" \
  -var="instance_type=t3.micro" \
  -var='security_groups=["sg-0123456789abcdef0"]'

Verification

After updating your Auto Scaling group, verify the change was successful:

1. In the EC2 console, go to Auto Scaling > Launch Configurations
2. Select your new launch configuration
3. In the Details tab, confirm that:
   • Metadata version shows V2 only (token required), OR
   • Metadata accessible shows Disabled

CLI Verification

aws autoscaling describe-launch-configurations \
  --region us-east-1 \
  --launch-configuration-names <your-config-name> \
  --query 'LaunchConfigurations[0].MetadataOptions'

Expected output for IMDSv2 enforced:

{
    "HttpTokens": "required",
    "HttpEndpoint": "enabled"
}

Or for disabled metadata service:

{
    "HttpEndpoint": "disabled"
}

Additional Resources

• Configure the instance metadata options (AWS Auto Scaling User Guide)
• Use IMDSv2 (AWS EC2 User Guide)
• AWS::AutoScaling::LaunchConfiguration MetadataOptions (CloudFormation)
• Prowler Check Documentation

Notes

• Launch configurations are legacy: AWS recommends using Launch Templates instead of Launch Configurations for new deployments. Launch Templates support IMDSv2 and offer additional features. Consider migrating to Launch Templates for better long-term support.

• Existing instances are not affected: Changing the launch configuration only affects new instances. Existing instances launched by the Auto Scaling group will retain their original metadata settings until they are replaced.

• Set IMDSv2 as an account default: You can configure IMDSv2 as the default for all new instances in your account using the EC2 instance metadata defaults setting. This provides defense-in-depth.

• Apply least privilege to instance roles: Even with IMDSv2 enforced, ensure your instance IAM roles follow least privilege principles to minimize the impact of any credential compromise.

• Consider egress filtering: Implement network egress filtering and SSRF protections as additional layers of defense against credential theft attempts.