If you’ve got apps running in AWS, you may be using Amazon’s EC2 Instance Metadata Service (IMDS) to rotate credentials instead of hardcoding them or manually distributing them periodically.
Version 2 of IMDS was released in late 2019 and it’s now strongly advised that it be used instead of the original version.
This is because misconfigured-open WAFs, misconfigured-open reverse proxies, unpatched SSRF vulnerabilities, and misconfigured-open layer-3 firewalls and network address translation could allow attackers unauthorized access to your network and internal resources, including making calls to the EC2 Instance Metadata Service (IMDS) v1 to discover more about privileges and IAM roles.
While IMDSv1 leveraged a request/response method, the new version (IMDSv2) protects every request by session authentication.
With Sophos Cloud Optix, we make it easy to detect EC2 instances that have version 1 of the Instance Metadata Service (IMDS) enabled and have IAM roles assigned to them. The rule can be found as part of the Sophos Best Practices policy for AWS, available to Cloud Optix Advanced customers.
If you’re already using Sophos Cloud Optix Advanced, click into the Policies section to find the Sophos Best Practices policy. Expand the Endpoint Security section, then ensure that rule AR-1052 is enabled.
And if you’re not using Cloud Optix, head to sophos.com/optix to learn more and start a free 30-day trial. Current Sophos customers can also start an Optix trial right from Sophos Central under the Free Trials section at the bottom of the left navigation.