Skip to main content
HIGHCross-serviceSecurity

EC2 IMDSv2 Not Enforced

ec2-imdsv2-not-enforced

What this rule checks

Detects launch templates and launch configurations that do not require IMDSv2 (MetadataOptions.HttpTokens is not "required"), leaving instances exposed to SSRF-based credential theft.

How to fix it

  1. 1Set MetadataOptions.HttpTokens to "required" on the launch template / launch configuration
  2. 2In CDK, pass requireImdsv2: true on the instance or launch template
FlaggedThe launch template does not set MetadataOptions, so instances default to allowing IMDSv1 β€” a known SSRF-to-credential-theft path.
import * as ec2 from 'aws-cdk-lib/aws-ec2';

new ec2.CfnLaunchTemplate(this, 'Lt', {
  launchTemplateData: {
    instanceType: 't3.micro',
  },
});
FixedSetting httpTokens to "required" enforces IMDSv2 session tokens, blocking the simple SSRF requests that IMDSv1 answers.
import * as ec2 from 'aws-cdk-lib/aws-ec2';

new ec2.CfnLaunchTemplate(this, 'Lt', {
  launchTemplateData: {
    instanceType: 't3.micro',
    metadataOptions: { httpTokens: 'required' },
  },
});

CDK Insights pinpoints the exact file and line in your CDK source for every finding, so you can jump straight to the fix.

Affected resource types

AWS::EC2::LaunchTemplateAWS::AutoScaling::LaunchConfiguration

Compliance frameworks

CISPCI-DSSNIST

AWS documentation

Read the AWS guidance

Intentional? Suppress this finding

Sometimes a flag is deliberate β€” a genuinely public endpoint, say. You can dismiss ec2-imdsv2-not-enforced and the reason is kept in the report, not silently hidden.

In .cdk-insights.json:

{
  "ignoreRules": [
    { "id": "ec2-imdsv2-not-enforced", "reason": "Why this is intentional" }
  ]
}

Or inline in your CDK code:

Validations.of(scope).acknowledge({
  id: 'cdk-insights::ec2-imdsv2-not-enforced',
  reason: 'Why this is intentional',
});

Use the rule ID ec2-imdsv2-not-enforced shown above β€” not the CDK-* ID from SARIF / GitHub code scanning. To dismiss every finding on one construct instead, use ignorePaths. Suppression docs β†’

Catch this in your stack

$ npx cdk-insights scan

CDK Insights runs this and 118+ other rules locally against your synthesised CDK app β€” free, no account, your code never leaves your machine.

More Cross-service rules