TF 0160 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
aws_instance should activate session tokens for Instance Metadata Service.
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| Service | ec2 |
| Provider | AWS |
| Vulnerability Type | omission |
Description
The aws_instance resource does not require session authentication tokens for the Instance Metadata Service (IMDS), leaving the metadata endpoint accessible without proper protection. This configuration fails to enforce IMDSv2's security improvements, making it easier for unauthorized code or users to access sensitive instance metadata.
Impact
If exploited, attackers could access instance metadata without authentication, potentially exposing credentials and sensitive data. This can lead to privilege escalation, lateral movement within the AWS environment, and compromise of other AWS resources.
Resolution
Enable HTTP token requirement for IMDS