Checks whether the security-enhanced mode is forcibly used when the metadata of each ECS instance is accessed. If so, the evaluation result is Compliant.
Scenarios
The metadata of ECS instances can be accessed in normal mode or security-enhanced mode. In security-enhanced mode, the metadata of an ECS instance is accessed by using token-based authentication. Compared with the normal mode, the security-enhanced mode provides better protection against Server-Side Request Forgery (SSRF) attacks.
Risk level
Default risk level: medium.
When you apply this rule, you can change the risk level based on your business requirements.
Compliance evaluation logic
- If the security-enhanced mode is forcefully used when the metadata of each ECS instance is accessed, the evaluation result is Compliant.
- If the normal mode is used when the metadata of each ECS instance is accessed, the evaluation result is Incompliant. For more information about how to remediate an incompliant configuration, see Incompliance remediation.
Rule details
| Item | Description |
|---|---|
| Rule name | ecs-instance-meta-data-mode-check |
| Rule identifier | ecs-instance-meta-data-mode-check |
| Tag | ECS and Instance |
| Automatic remediation | Not supported |
| Trigger type | Periodic execution |
| Evaluation frequency | Interval of 24 hours |
| Supported resource type | ECS instance |
| Input parameter | None. |
Incompliance remediation
Change the access mode for the metadata of an ECS instance to security-enhanced. For more information, see View instance metadata.