Threat Research Report Team

Enforce AWS IMDSv2 with Uptycs

Written by Sai Naga Subrahmanyam | Jun 5, 2024 2:34:46 PM

 

Instance Metadata Service version 2 (IMDSv2) represents a significant advancement in cloud security, providing robust protection against threats like Server-Side Request Forgery (SSRF) attacks. This protocol, offered by cloud platforms such as AWS, ensures secure access to sensitive metadata, safeguarding vital information within cloud environments.

 

For example, the Capital One breach in 2019 exploited an SSRF vulnerability, allowing the attacker to gain access to the AWS metadata service and retrieve sensitive data. By requiring session tokens, IMDSv2 safeguards critical information such as instance credentials and configuration details, which are crucial for maintaining the integrity and security of cloud-based infrastructures.

 

AWS made IMDSv2 the default on all new EC2 instances launched after March 21, 2022, underscoring the significance AWS places on improving security measures to protect its users. It is important to note that millions of running instances still have IMDSv1 enabled. According to Palo Alto Networks’ Unit 42 Cloud Threat Report, 55% of organizations still have IMDSv1 actively configured, highlighting the urgency of migrating to IMDSv2. This legacy setup leaves them vulnerable to the same types of attacks that IMDSv2 aims to prevent. Therefore, migrating to IMDSv2 is an essential step for EC2 users to protect their instances from such vulnerabilities and enhance the overall security posture of their cloud environments.

 

Understanding IMDSv2

AWS offers a variety of services to its users, with EC2 being one of the most widely used. One critical component of EC2 instances is IMDS, which provides data about the instance that can be used to configure or manage the running instance. Originally, AWS used IMDSv1, but recent security concerns have highlighted the need for enhanced protections, leading to the introduction of IMDSv2.

IMDSv2 enhances security by requiring session tokens for access, preventing potential exploitation by attackers. It mitigates the risk of SSRF attacks and safeguards critical information such as instance credentials and configuration details, crucial for maintaining the integrity and security of cloud-based infrastructures.

 

The Role of Uptycs

Uptycs' CNAPP is instrumental in managing and securing cloud workloads. It provides comprehensive visibility into your cloud environment, allowing you to surface, prioritize, remediate, and notify on any misconfigurations. Using Uptycs, you can seamlessly identify IMDSv1 instances and enforce IMDSv2, ensuring robust protection against potential security threats.

 

In the above diagram, you can see the process of detecting and handling IMDSv1 requests with Uptycs. When an EC2 instance makes a request to IMDSv1, the Uptycs Sensor detects this activity and generates an alert. If configured, Uptycs can quarantine the EC2 instance to prevent potential security threats. Additionally, Uptycs cloud remediation can assist in upgrading the instance to use IMDSv2, enhancing its security.

A Guide to Mitigating IMDSv1 Usage with Uptycs

This article provides a comprehensive guide on how to detect and mitigate the use of IMDSv1 across your AWS fleet using Uptycs. Here's what you'll learn:

 

  1. Assessing Current Metadata Usage: Learn how to identify which AWS instances are  using metadata.

  2. Using Uptycs for Threat Detection, Containment, and Remediation:

    • Detect IMDSv1 Usage:  Identify instances and applications using IMDSv1.

    • Instant Threat Detection: Configure Uptycs to immediately alert for any IMDSv1 usage and potential threats.

    • Threat Containment: Use Uptycs Sensor to quarantine instances and terminate processes that invoke IMDSv1.

    • Remediation:  Implement manual and automatic steps to upgrade from IMDSv1 to IMDSv2.

Preparing Your AWS fleet for IMDSv2 Enforcement

1. Assessment of Current Metadata Use

Discover which EC2 instances are using IMDSv1:

To begin securing your AWS fleet, it's crucial to discover which instances are still using IMDSv1. Using our natural language ‘Ask Uptycs’ capability, you’re able to ask a simple question such as “Show all EC2 instances using IMDSv1 in my AWS infrastructure” to detect current metadata utilization across your AWS fleet.

 

Step 1: Access the Uptycs platform and navigate to the Ask Uptycs section where you begin typing your question.

 

Step 2: Ask a question to show all EC2 instances using IMDSv1. Alternatively, you can also discover which Applications running on EC2 instances are using IMDSv1. This will give you an overview of how widespread the use of IMDSv1 is within your environment.

 

Step 3: Review the results and identify specific instances that need to be updated.

 

2. Detection, Containment, and Remediation

Instant Detection

 

Uptycs has a built-in rule that detects the usage of IMDSv1. When access to the IMDSv1 URL is detected, an alert is generated. To ensure immediate awareness of any security issues, Uptycs has the capability to send notifications to your Slack or SIEM platforms.

 

Threat Containment

 

Quarantine Cloud Workloads Running IMDSv1:

When Uptycs detects an instance running IMDSv1, you can choose to have Uptycs automatically quarantine the instance to prevent potential exploitation. Quarantine can be defined as isolating the instance from the rest of the network to contain any potential threats it may pose.


During quarantine, the EC2 instance is effectively separated from other resources within the network, restricting its ability to interact with other systems or access sensitive data. It remains in a controlled environment where its activities are closely monitored. While quarantined, the EC2 instance is typically prevented from sending or receiving network traffic, accessing shared resources, or executing commands that could potentially compromise the security of the environment.


Quarantine doesn't disable the instance entirely. It keeps its settings and data intact for authorized administrators to inspect and fix any problems. After addressing the issue and ensuring security, the instance can rejoin the network safely. Quarantine stops threats from spreading across the infrastructure. Once the necessary security measures have been implemented and the threat mitigated, the instance can be safely reintegrated into the network. Quarantine serves as a protective measure to contain potential threats and prevent them from spreading further within the infrastructure.


Step 1: Set up quarantine actions in built in IMDSv1 detection rule for instances identified with IMDSv1.

Step 2: Review quarantined instances and take steps to upgrade them to IMDSv2.

 

Kill the Process:

To further enhance security, Uptycs allows you to terminate processes that invoke the IMDSv1 API directly.

 

Step 1: Configure the built in IMDSv1 detection rule to terminate the process attempting to use IMDSv.

Step 2: Verify that the terminated processes no longer pose a threat to your environment.

 

Remediation

 

Automatic Remediation:

Uptycs also offers automatic remediation options to streamline the upgrade process.

 

Step 1: Use the "Remediate" button in Uptycs to initiate automatic upgrades from IMDSv1 to IMDSv2.

Step 2: Monitor the remediation process through the Uptycs dashboard.

 

Step 3: Validate the changes to ensure all instances have been successfully updated.

 

Manual Remediation

 

For instances that cannot be automatically updated, manual remediation steps are necessary.

 

Step 1: Follow steps to fix to manually upgrade from IMDSv1 to IMDSv2 on each affected instance.

Step 2: Ensure all applications and configurations are compatible with IMDSv2.

 

Step 3: Test the updated setup to confirm that IMDSv2 is functioning correctly.

 

Conclusion

Empowered by this guide, you can leverage Uptycs' comprehensive solution to detect, contain, and remediate the lingering use of IMDSv1 as you effectively implement and manage IMDSv2. This ensures a secure and compliant cloud environment, while elevating your overall security posture with a streamlined vulnerability detection and mitigation process.