Skip to main content
ClaudeWave
Skill323 repo starsupdated today

cis-aws-compute-2.8

This skill audits AWS EC2 instances to identify those allowing IMDSv1 and enforces Instance Metadata Service Version 2 (IMDSv2) across all instances. Use this when implementing security hardening for EC2 environments to prevent metadata-based attacks and ensure compliance with security standards requiring session-based metadata access controls.

View sourceRepository: CyberStrike
Install in Claude Code
Copy
git clone --depth 1 https://github.com/CyberStrikeus/CyberStrike /tmp/cis-aws-compute-2.8 && cp -r /tmp/cis-aws-compute-2.8/.cyberstrike/skill/CIS_benchmarks/Cloud_Providers/AWS/CIS_AWS_Compute_Services_Benchmark_v1.1.0/cis-aws-compute-2.8 ~/.claude/skills/cis-aws-compute-2.8
Then start a new Claude Code session; the skill loads automatically.
Definition

SKILL.md

# Ensure the Use of IMDSv2 is Enforced on All Existing Instances

## Description

Ensure the Instance Metadata Service Version 2 (IMDSv2) method is enabled on all running instances.

## Rationale

The IMDSv2 method uses session-based controls to help protect access and control of Amazon Elastic Compute Cloud (Amazon EC2) instance metadata. With IMDSv2, controls can be implemented to restrict changes to instance metadata.

## Impact

Once you enforce IMDSv2, then IMDSv1 no longer works, and applications that use IMDSv1 might not function correctly. Before enforcing IMDSv2, verify that any applications that use Amazon EC2 metadata are upgraded to a version that supports IMDSv2.

## Audit Procedure

### Using AWS CLI

1. Run the describe-instances command:

```bash
aws ec2 describe-instances --region us-east-1 --output text --filter "Name=metadata-options.http-tokens,Values=optional" --query "Reservations[*].Instances[*].{Instance:InstanceId}"
```

2. The output should look like this:

```
i-1234567abcdefghi0
i-1234567abcdefghi0
i-1234567abcdefghi0
```

The list above contains all the instances that have the metadata version set to optional which means either IMDSv1 or IMDSv2 can be used. Refer to the remediation below.

Repeat steps 1 - 2 for the other AWS regions.

### Using AWS Console

1. At this time the instance metadata setting for existing instances can only be reviewed and confirmed using AWS CLI.

## Expected Result

The CLI command should return an empty list, indicating all instances have http-tokens set to `required` (enforcing IMDSv2). Any instances listed are using optional mode allowing IMDSv1.

## Remediation

### Using AWS CLI

1. Run the modify-instance-metadata-options command using the list of Instances collected in the audit:

```bash
aws ec2 modify-instance-metadata-options --instance-id i-1234567abcdefghi0 --http-tokens required --http-endpoint enabled
```

2. The output should show the information for the instance and the metadata changes:

```json
{
  "InstanceId": "i-1234567abcdefghi0",
  "InstanceMetadataOptions": {
    "State": "pending",
    "HttpTokens": "required",
    "HttpPutResponseHopLimit": 1,
    "HttpEndpoint": "enabled"
  }
}
```

3. Repeat for the other instances and regions collected during the audit.

### Using AWS Console

1. At this time the instance metadata setting for existing instances can only be changed using AWS CLI.

## Default Value

By default, new EC2 instances may allow both IMDSv1 and IMDSv2 (http-tokens set to optional) depending on region and account settings.

## References

1. https://aws.amazon.com/premiumsupport/knowledge-center/ssm-ec2-enforce-imdsv2/
2. https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html
3. https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-options.html
4. https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/launching-instance.html#configure_instance_details_step
5. https://docs.aws.amazon.com/config/latest/developerguide/ec2-imdsv2-check.html
6. https://docs.aws.amazon.com/systems-manager-automation-runbooks/latest/userguide/automation-aws-enforce-ec2-imdsv2.html

## CIS Controls

| Controls Version | Control                                               | IG 1 | IG 2 | IG 3 |
| ---------------- | ----------------------------------------------------- | ---- | ---- | ---- |
| v8               | 3.3 Configure Data Access Control Lists               | x    | x    | x    |
| v7               | 14.6 Protect Information through Access Control Lists | x    | x    | x    |

## Profile

Level 2 | Manual
More from this repository
cis-aws-compute-10.1Skill

Ensure Managed Platform updates is configured

cis-aws-compute-10.2Skill

Ensure Persistent logs is setup and configured to S3

cis-aws-compute-10.3Skill

Ensure access logs are enabled

cis-aws-compute-10.4Skill

Ensure that HTTPS is enabled on load balancer

cis-aws-compute-11.1Skill

Ensure customer-managed keys are used to encrypt AWS Fargate ephemeral storage data for Amazon ECS

cis-aws-compute-12.1Skill

Ensure AWS Config is Enabled for Lambda and Serverless

cis-aws-compute-12.10Skill

Ensure Lambda functions do not allow unknown cross account access via permission policies

cis-aws-compute-12.11Skill

Ensure that the runtime environment versions used for your Lambda functions do not have end of support dates