AutoScaling.3: Launched instances still allow IMDSv1

What does AWS Security Hub AutoScaling.3 check?

AutoScaling.3 fails when an Auto Scaling group's launch configuration does not require IMDSv2 — that is, the metadata options do not set HttpTokens to required. Instances launched from it still accept IMDSv1 requests.

Why does AutoScaling.3 matter?

IMDSv1 lets any request that reaches the metadata endpoint pull the instance's IAM role credentials, which is exactly how the 2019 Capital One breach turned an SSRF bug into 106 million exposed records. IMDSv2's session-token handshake makes a forged GET useless. Enforcing it on autoscaled fleets closes the single biggest credential-theft path on EC2.

How do I fix AutoScaling.3?

1. Inspect existing launch configurations for their MetadataOptions.
2. As a stop-gap, set HttpTokens to required on the metadata options.
3. Properly, migrate the group to a Launch Template with IMDSv2 pinned, since launch configurations are deprecated.
4. Run an instance refresh so already-running instances pick up the new policy.

# Flip a running instance to IMDSv2-only (EC2.8).
aws ec2 modify-instance-metadata-options --instance-id i-0abc12def345f6789 \
  --http-tokens required --http-put-response-hop-limit 1 --http-endpoint enabled

# Migrate the launch source to a launch template with IMDSv2 required (AutoScaling.3),
# then roll the fleet so existing instances actually pick it up.
aws ec2 create-launch-template-version --launch-template-id lt-0fee123abc456def0 \
  --source-version '$Latest' \
  --launch-template-data '{"MetadataOptions":{"HttpTokens":"required","HttpPutResponseHopLimit":2,"HttpEndpoint":"enabled"}}'
aws autoscaling start-instance-refresh --auto-scaling-group-name etl-workers-asg

# Lock it account-wide so new instances are born compliant.
aws ec2 modify-instance-metadata-defaults --http-tokens required --http-put-response-hop-limit 2