AWS-027 Amazon Web Services (AWS)

EC2 instances enforce IMDSv2 (token-required metadata).

EC2 instances enforce IMDSv2 (token-required metadata).

Domain
Amazon Web Services (AWS)
Area
Compute
Automated / manual
Automated

Risk if it fails

IMDSv1 enables SSRF-based credential theft.

With the old metadata service, a single web-app bug lets an attacker trick the server into handing over its cloud credentials — a classic cloud breach path.

How Tess tests it

1 test — each concludes only on cited evidence.

EC2 instances enforce IMDSv2 (token-required metadata).

Automated
Procedure
Confirm HttpTokens=required on instance metadata options.

Read-only command 

aws ec2 describe-instances --query 'Reservations[].Instances[].{Id:InstanceId,Tokens:MetadataOptions.HttpTokens}'

More in Amazon Web Services (AWS)

AWS-001 Root account MFA is enabled. AWS-002 No access keys exist on the root account. AWS-003 Root account is not used for day-to-day activity. AWS-004 Strong IAM password policy is enforced.

Want Tess to test AWS-027 against your evidence?

Book a demo