- Newest
- Most votes
- Most comments
To inspect suspicious traffic to the instance metadata service, I would check VPC Flow Logs. Those would have network connectivity that you could see if there are suspicious network traffic to the EC2 instance metadata service.
AWS GuardDuty comes with a VPC Flow Log Finding: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#unauthorizedaccess-ec2-metadatadnsrebind (Keep in mind AWS GuardDuty does have a cost associated with the service: https://aws.amazon.com/guardduty/pricing/).
I would also recommend using IMDSv2 if possible which is a session-based method compared to request/response of IMDSv1: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html
VPC Flow Logs: https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs.html
Relevant content
- asked a year ago
- AWS OFFICIALUpdated 8 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago