AWS IMDSv2.

The session-token-based replacement for the AWS EC2 Instance Metadata Service, designed to defeat SSRF-based credential theft of EC2 instance role tokens by requiring a PUT-issued, short-lived token on every request. Es gehört zur Kategorie Cloud-Sicherheit der Cybersicherheit.

The session-token-based replacement for the AWS EC2 Instance Metadata Service, designed to defeat SSRF-based credential theft of EC2 instance role tokens by requiring a PUT-issued, short-lived token on every request.

IMDSv2 is the second version of the EC2 Instance Metadata Service, introduced in 2019 in direct response to the Capital One breach and other SSRF-driven cloud credential theft attacks. Unlike IMDSv1, where any code on the instance — including a webserver tricked into making a GET to `http://169.254.169.254/latest/meta-data/iam/security-credentials/`— could read the instance role credentials, IMDSv2 requires the client to first issue a PUT to `/latest/api/token` with a TTL header, then include the returned session token on every metadata read. A reflected or server-side request forgery cannot easily issue both calls because the PUT requires a non-default HTTP method and a custom header, and the response is a short-lived token. IMDSv2 also lets administrators set the `HttpPutResponseHopLimit` to 1, blocking containers on the host from reaching the metadata service. As of 2023, new AWS resources and most launch templates default to `HttpTokens: required`; legacy AMIs and infra still permitting IMDSv1 remain a common Wiz/CSPM finding and an active path for cloud token theft.

Schutzmaßnahmen gegen AWS IMDSv2 kombinieren typischerweise technische Kontrollen und operative Praktiken, wie in der Definition oben beschrieben.

Übliche alternative Bezeichnungen: EC2 Instance Metadata Service v2, IMDSv2.