Will It Vibe logoWill It Vibe?
TF-007Medium severity-8 points

EC2 instance metadata service allows IMDSv1

Part of Security, which counts for 30% of the overall score. When this check fires it deducts 8 points from that category, once per scan, no matter how many places it turns up.

What it detects

http_tokens = "optional" leaves IMDSv1 enabled, so an SSRF against the instance can read its role credentials from the metadata endpoint without a session token.

Why it matters

http_tokens = "optional" leaves IMDSv1 enabled on the instance metadata service. IMDSv1 answers unauthenticated GET requests, so a server-side request forgery flaw in an app on the instance can read the attached role credentials straight from the metadata endpoint. IMDSv2 requires a session token and blocks that path.

How to fix it

Set http_tokens = "required" in the instance metadata_options to enforce IMDSv2, and set http_put_response_hop_limit to 1 unless containers on the host need a higher value. Apply the same setting to launch templates and Auto Scaling group configurations. Confirm that SDKs and agents on the instance are recent enough to use IMDSv2, which all current versions are.

The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing

Does your repo trip this check?

Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.

Scan your repo

Related Security checks