Prisma Cloud RQL Query to List AWS EC2 Instances that are Instance Metadata Service Version 2 (IMDSv2) Non-Compliant

Prisma Cloud RQL Query to List AWS EC2 Instances that are Instance Metadata Service Version 2 (IMDSv2) Non-Compliant

1537
Created On 10/31/22 15:57 PM - Last Modified 01/22/24 08:56 AM


Question


  • Prisma Cloud RQL Query to List AWS EC2 Instances that are Instance Metadata Service Version 2 (IMDSv2) Non-Compliant

Environment


  • Prisma Cloud
  • AWS

Answer


config from cloud.resource where api.name = 'aws-ec2-describe-instances' AND json.rule = state contains running and metadataOptions.httpEndpoint equals enabled and metadataOptions.httpTokens does not contain required addcolumn instanceId

Example

Screenshot 2022-10-31 at 11.54.14 PM.png

 

Additional Information


You can also modify the RQL query by including the following statements to list the following:
  • EC2 instances that are IMDS V2 Compliant - metadataOptions.httpTokens contains required
  • EC2 instances that are IMDS V2 Non-Compliant - metadataOptions.httpTokens contains optional .
Use AWS IMDSv2
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000kEvTCAU&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail