aws_instance should activate session tokens for Instance Metadata Service.
| Property | |
|---|---|
| Language |  |
| Severity |  |
| Service | ec2 |
| Provider | AWS |
| Vulnerability Type | omission |
Description#
The AWS EC2 instance is configured to allow optional or no authentication tokens for the Instance Metadata Service (IMDS), instead of requiring session tokens via the ‘http_tokens’ setting. This leaves the IMDS endpoint less protected against unauthorized access from within the instance.
Impact#
If exploited, processes or attackers within the instance could freely access sensitive metadata, such as IAM credentials, increasing the risk of privilege escalation, data exfiltration, and lateral movement within the cloud environment.
Resolution#
Enable HTTP token requirement for IMDS