This list is no longer being maintained in terms of adding new vendors. Existing vendors on the list will be removed as they add support for IMDSv2.
The following vendors do not allow customers to enforce IMDSv2 in their accounts. More information about what this is, what AWS can do, and what you can do, can be found beneath this list.
Where possible, I've linked to public support pages or Github issues for the vendors that confirm the vendor does not support IMDSv2. If that does not exist, then I have relied on multiple reports from customers (in all cases at least one such customer is someone I know personally). I have also reached out to the vendors to let them know they are on this list so they can provide corrections if this is not true. Check the commit history of this repo to see when this list was last updated.
In the wake of the 2019 Capital One breach, AWS released IMDSv2 as a way of mitigating SSRF attacks against EC2s that could steal the credentials of their IAM roles. By default, EC2s still allow the old Instance MetaData Service (IMDSv1) and so special action must be taken to require IMDSv2. The insecurity of IMDSv1 has been presented at major security conferences for years, such as Black Hat in 2014.
Real-world guidance on how to make the needed updates to support IMDSv2 can be found here.
Enforcing IMDSv2 can be done using the SCP found here. This has to be applied with caution though because a number of applications and unfortunately vendors may still require IMDSv1.
I want to improve the security of all customers on AWS by better enabling them to apply the security best practice of enforcing IMDSv2. This includes eradicating IMDSv1 from vendors and making IMDSv2 enforcement the default on AWS.
I am going to list the vendors here that are not allowing their customers to follow security best practices by not allowing them to enforce IMDSv2. I will be reaching out to these vendors to ensure they are aware of this project and request they provide timelines on their improvement. I have a number of requests to AWS themselves to improve the ability to enforce IMDSv2, and this includes making it a requirement of vendors to enforce IMDSv2. As such, any vendors that are harmful to the security of AWS customers should be delisted from the AWS Partner network.
The recent BreakingFormation security incident had questionable impact, but it did show that AWS's own production EC2s, that internally run the CloudFormation service, are not enforcing IMDSv2. As a result of AWS not implementing their own advised security best practices, they fell victim to an attack that IMDSv2 was specifically created to defeat. AWS controls the entire platform and ecosystem, and security is publicly described as "job zero" at AWS: Therefore, they should be the most capable of implementing security best practices on themselves, but it was shown they have not. Security incidents of cloud providers themselves are becoming more common and they have an obligation to customers to implement security best practices.
I have requested that AWS do the following to make it easier for both themselves and their customers to enforce IMDSv2.
Ensure all your products allow IMDSv2 enforcement.