All Products
Search
Document Center

Cloud Config:ecs-instance-meta-data-mode-check

Last Updated:Jun 16, 2026

If the security-enhanced mode is forcibly used when the metadata of each ECS instance is accessed, the evaluation result is Compliant.

Scenarios

ECS instance metadata can be accessed in normal mode or security-enhanced mode. In security-enhanced mode, metadata access requires token-based authentication, which provides better protection against Server-Side Request Forgery (SSRF) attacks than normal mode.

Risk level

Default risk level: medium.

You can change the risk level based on your business requirements when you apply this rule.

Compliance evaluation logic

  • If the security-enhanced mode is forcefully used when the metadata of an ECS instance is accessed, the evaluation result is Compliant.
  • If the normal mode is used when the metadata of an ECS instance is accessed, the evaluation result is Incompliant. To remediate an incompliant configuration, seeIncompliance remediation.

Rule details

Item Description
Rule name ecs-instance-meta-data-mode-check
Rule identifier ecs-instance-meta-data-mode-check
Tag ECS and Instance
Automatic remediation Not supported
Trigger type Periodic execution
Evaluation frequency Every 24 hours
Supported resource type ECS instance
Input parameter None.

Incompliance remediation

Change the metadata access mode of an ECS instance to security-enhanced. For more information, seeInstance metadata.