If the security-enhanced mode is forcibly used when the metadata of each ECS instance is accessed, the evaluation result is Compliant.
Scenarios
ECS instance metadata can be accessed in normal mode or security-enhanced mode. In security-enhanced mode, metadata access requires token-based authentication, which provides better protection against Server-Side Request Forgery (SSRF) attacks than normal mode.
Risk level
Default risk level: medium.
You can change the risk level based on your business requirements when you apply this rule.
Compliance evaluation logic
- If the security-enhanced mode is forcefully used when the metadata of an ECS instance is accessed, the evaluation result is Compliant.
- If the normal mode is used when the metadata of an ECS instance is accessed, the evaluation result is Incompliant. To remediate an incompliant configuration, seeIncompliance remediation.
Rule details
| Item | Description |
| Rule name | ecs-instance-meta-data-mode-check |
| Rule identifier | ecs-instance-meta-data-mode-check |
| Tag | ECS and Instance |
| Automatic remediation | Not supported |
| Trigger type | Periodic execution |
| Evaluation frequency | Every 24 hours |
| Supported resource type | ECS instance |
| Input parameter | None. |
Incompliance remediation
Change the metadata access mode of an ECS instance to security-enhanced. For more information, seeInstance metadata.