AWS IMDSv2
AWS IMDSv2 とは何ですか?
AWS IMDSv2The session-token-based replacement for the AWS EC2 Instance Metadata Service, designed to defeat SSRF-based credential theft of EC2 instance role tokens by requiring a PUT-issued, short-lived token on every request.
IMDSv2 is the second version of the EC2 Instance Metadata Service, introduced in 2019 in direct response to the Capital One breach and other SSRF-driven cloud credential theft attacks. Unlike IMDSv1, where any code on the instance — including a webserver tricked into making a GET to `http://169.254.169.254/latest/meta-data/iam/security-credentials/`— could read the instance role credentials, IMDSv2 requires the client to first issue a PUT to `/latest/api/token` with a TTL header, then include the returned session token on every metadata read. A reflected or server-side request forgery cannot easily issue both calls because the PUT requires a non-default HTTP method and a custom header, and the response is a short-lived token. IMDSv2 also lets administrators set the `HttpPutResponseHopLimit` to 1, blocking containers on the host from reaching the metadata service. As of 2023, new AWS resources and most launch templates default to `HttpTokens: required`; legacy AMIs and infra still permitting IMDSv1 remain a common Wiz/CSPM finding and an active path for cloud token theft.
● 例
- 01
An EC2 launch template sets `HttpTokens: required` and `HttpPutResponseHopLimit: 1`, blocking both IMDSv1 access and container-side metadata theft.
- 02
A CSPM finding flags every EC2 instance still allowing IMDSv1 because the legacy CentOS AMI was launched before the org-wide policy.
● よくある質問
AWS IMDSv2 とは何ですか?
The session-token-based replacement for the AWS EC2 Instance Metadata Service, designed to defeat SSRF-based credential theft of EC2 instance role tokens by requiring a PUT-issued, short-lived token on every request. サイバーセキュリティの クラウドセキュリティ カテゴリに属します。
AWS IMDSv2 とはどういう意味ですか?
The session-token-based replacement for the AWS EC2 Instance Metadata Service, designed to defeat SSRF-based credential theft of EC2 instance role tokens by requiring a PUT-issued, short-lived token on every request.
AWS IMDSv2 はどのように機能しますか?
IMDSv2 is the second version of the EC2 Instance Metadata Service, introduced in 2019 in direct response to the Capital One breach and other SSRF-driven cloud credential theft attacks. Unlike IMDSv1, where any code on the instance — including a webserver tricked into making a GET to `http://169.254.169.254/latest/meta-data/iam/security-credentials/`— could read the instance role credentials, IMDSv2 requires the client to first issue a PUT to `/latest/api/token` with a TTL header, then include the returned session token on every metadata read. A reflected or server-side request forgery cannot easily issue both calls because the PUT requires a non-default HTTP method and a custom header, and the response is a short-lived token. IMDSv2 also lets administrators set the `HttpPutResponseHopLimit` to 1, blocking containers on the host from reaching the metadata service. As of 2023, new AWS resources and most launch templates default to `HttpTokens: required`; legacy AMIs and infra still permitting IMDSv1 remain a common Wiz/CSPM finding and an active path for cloud token theft.
AWS IMDSv2 からどのように防御しますか?
AWS IMDSv2 に対する防御は通常、上記の定義で述べたとおり、技術的統制と運用上の実践を組み合わせます。
AWS IMDSv2 の別名は何ですか?
一般的な別名: EC2 Instance Metadata Service v2, IMDSv2。
● 関連用語
- cloud-security№ 092
AWS IMDSv1 攻撃
通常は SSRF を介して、レガシーの IMDSv1 エンドポイントに未認証の GET リクエストを送ることで EC2 インスタンスロールの資格情報を盗む攻撃。
- cloud-security№ 208
クラウドメタデータ SSRF
脆弱なアプリを介してクラウド事業者のインスタンスメタデータサービスを問い合わせさせ、一時的な資格情報を盗むサーバーサイドリクエストフォージェリ攻撃。
- attacks№ 1120
サーバーサイドリクエストフォージェリ(SSRF)
攻撃者がサーバーに任意の宛先(多くは内部システム)へ HTTP やその他のネットワークリクエストを送らせることができる Web 脆弱性。
- cloud-security№ 212
クラウドトークン窃取
クラウド ID サービスから OAuth、SAML、署名鍵といったトークンを盗み出し、再生して認証情報なしでユーザーやサービスになりすます攻撃。
- cloud-security№ 561
IAM の誤設定(クラウド)
クラウド上の ID とアクセス管理が安全でない、もしくは過剰に許可されており、ユーザー・ロール・サービスが必要以上の操作を行える状態。
- cloud-security№ 209
クラウドの誤設定
公開されたストレージや脆弱な IAM ポリシー、開放された管理ポートなど、クラウドサービスの不適切な設定によって生じるセキュリティ上の欠陥。