Description

Detects EC2 instances using IMDSv1 (Instance Metadata Service version 1) without requiring IMDSv2. IMDSv1 is vulnerable to SSRF attacks which could allow attackers to retrieve temporary credentials from the instance metadata service. IMDSv2 provides enhanced security by requiring session-oriented requests with token authentication.

Detection Strategy

• Checks all running and pending EC2 instances in the specified AWS region

• Examines the MetadataOptions.HttpTokens setting for each instance

• Reports a vulnerability if HttpTokens is set to 'optional', indicating IMDSv2 is not required

• Identifies affected instances by their ARN, including the region, account ID, and instance ID