How does EchelonGraph detect CIS AWS 6.1 violations?

EchelonGraph automatically detects CIS AWS 6.1 violations using scanner rule AWS-CMP-001. The scanner checks cloud infrastructure configurations in real-time and flags non-compliant resources.

What audit questions are asked for CIS AWS 6.1?

How many EC2 instances still allow IMDSv1? Is there an SCP blocking IMDSv1 at the organization level? Are new instance launches automatically configured for IMDSv2?

🟠CIS AWS 6.1Rule: AWS-CMP-001high

Ensure EC2 instances use IMDSv2

Description

Instance Metadata Service v2 (IMDSv2) must be required to prevent SSRF-based credential theft.

⚠️ Risk Impact

IMDSv1 allows any process to retrieve instance credentials via a simple HTTP GET. SSRF vulnerabilities in applications can steal these credentials remotely.

🔍 How EchelonGraph Detects This

AWS-CMP-001Automated scanner rule

EchelonGraph's Tier 1 Cloud Scanner automatically checks for this condition across all connected AWS accounts. Violations are flagged as high-severity findings with remediation guidance.

🔧 Remediation

Enforce IMDSv2: aws ec2 modify-instance-metadata-options --instance-id INSTANCE --http-tokens required

💀 Real-World Attack Scenario

The Capital One breach (2019) exploited IMDSv1 via an SSRF vulnerability in a WAF. The attacker sent a crafted request through the WAF to http://169.254.169.254/latest/meta-data/iam/security-credentials/ and obtained temporary IAM credentials. These credentials had access to S3 buckets containing 100M+ records. IMDSv2 would have prevented this entirely.

💰 Cost of Non-Compliance

Capital One breach via IMDSv1: $80M fine + $190M settlement = $270M. AWS reports that IMDSv2 enforcement prevents 100% of SSRF-based credential theft attacks.

📋 Audit Questions

1.How many EC2 instances still allow IMDSv1?
2.Is there an SCP blocking IMDSv1 at the organization level?
3.Are new instance launches automatically configured for IMDSv2?

🎯 MITRE ATT&CK Mapping

T1552.005 — Cloud Instance Metadata APIT1190 — Exploit Public-Facing Application

🏗️ Infrastructure as Code Fix

main.tf

resource "aws_instance" "app" {
  metadata_options {
    http_tokens                 = "required"  # IMDSv2
    http_put_response_hop_limit = 1
    http_endpoint               = "enabled"
  }
}

⚡ Common Pitfalls

⛔Legacy applications that rely on IMDSv1 SDK behavior (check SDK version compatibility)
⛔Setting http_put_response_hop_limit too high (allows containers to reach IMDS)
⛔Not using SCP to enforce IMDSv2 organization-wide

📈 Business Value

IMDSv2 eliminates the most impactful cloud attack vector — SSRF-based credential theft. It's a zero-cost, zero-downtime change that prevents Capital One-scale breaches.

⏱️ Effort Estimate

Manual

30 minutes per instance; SDK compatibility testing may add 1-2 hours

With EchelonGraph

EchelonGraph identifies all instances using IMDSv1 and monitors for compliance

🔗 Cross-Framework References

SOC2-CC6.1ISO27001-A.14.2.5

Automate CIS AWS 6.1 compliance

EchelonGraph continuously monitors this control across all your cloud accounts.

Start Free →