From aa759ab6b7cf4b0c7dbcfb16f91212e46890e164 Mon Sep 17 00:00:00 2001
From: Daniel Barranquero <74871504+danibarranqueroo@users.noreply.github.com>
Date: Tue, 5 May 2026 16:42:47 +0200
Subject: [PATCH] fix(attack-surface): restore ec2-imdsv1 category alignment
 (#10998)

---
 api/src/backend/tasks/jobs/scan.py                           | 5 +++--
 api/src/backend/tasks/tests/test_scan.py                     | 1 +
 prowler/CHANGELOG.md                                         | 1 +
 .../ec2_instance_account_imdsv2_enabled.metadata.json        | 3 ++-
 .../ec2_instance_imdsv2_enabled.metadata.json                | 3 ++-
 5 files changed, 9 insertions(+), 4 deletions(-)

diff --git a/api/src/backend/tasks/jobs/scan.py b/api/src/backend/tasks/jobs/scan.py
index 515aea8620..d4bc2afba3 100644
--- a/api/src/backend/tasks/jobs/scan.py
+++ b/api/src/backend/tasks/jobs/scan.py
@@ -202,8 +202,9 @@ def _get_attack_surface_mapping_from_provider(provider_type: str) -> dict:
             "iam_inline_policy_allows_privilege_escalation",
         },
         "ec2-imdsv1": {
-            "ec2_instance_imdsv2_enabled"
-        },  # AWS only - IMDSv1 enabled findings
+            "ec2_instance_imdsv2_enabled",
+            "ec2_instance_account_imdsv2_enabled",
+        },  # AWS only - instance-level IMDSv1 exposure and account IMDS defaults
     }
     for category_name, check_ids in attack_surface_check_mappings.items():
         if check_ids is None:
diff --git a/api/src/backend/tasks/tests/test_scan.py b/api/src/backend/tasks/tests/test_scan.py
index dc13c31e08..0a7193cd4d 100644
--- a/api/src/backend/tasks/tests/test_scan.py
+++ b/api/src/backend/tasks/tests/test_scan.py
@@ -3853,6 +3853,7 @@ class TestAggregateAttackSurface:
             in result["privilege-escalation"]
         )
         assert "ec2_instance_imdsv2_enabled" in result["ec2-imdsv1"]
+        assert "ec2_instance_account_imdsv2_enabled" in result["ec2-imdsv1"]
 
     @patch("tasks.jobs.scan.AttackSurfaceOverview.objects.bulk_create")
     @patch("tasks.jobs.scan.Finding.all_objects.filter")
diff --git a/prowler/CHANGELOG.md b/prowler/CHANGELOG.md
index f4af56d82d..7d0915e31b 100644
--- a/prowler/CHANGELOG.md
+++ b/prowler/CHANGELOG.md
@@ -18,6 +18,7 @@ All notable changes to the **Prowler SDK** are documented in this file.
 - Azure compliance entries for legacy Network Watcher flow log controls now use retirement-aware guidance and point new deployments to VNet flow logs [(#10937)](https://github.com/prowler-cloud/prowler/pull/10937)
 - AWS CodeBuild service now batches `BatchGetProjects` and `BatchGetBuilds` calls per region (up to 100 items per call) to reduce API call volume and prevent throttling-induced false positives in `codebuild_project_not_publicly_accessible` [(#10639)](https://github.com/prowler-cloud/prowler/pull/10639)
 - `display_compliance_table` dispatch switched from substring `in` checks to `startswith` to prevent false matches between similarly named frameworks (e.g. `cisa` vs `cis`) [(#10301)](https://github.com/prowler-cloud/prowler/pull/10301)
+- Restore the `ec2-imdsv1` category for EC2 IMDS checks to keep Attack Surface and findings filters aligned [(#10998)](https://github.com/prowler-cloud/prowler/pull/10998)
 
 ### 🐞 Fixed
 
diff --git a/prowler/providers/aws/services/ec2/ec2_instance_account_imdsv2_enabled/ec2_instance_account_imdsv2_enabled.metadata.json b/prowler/providers/aws/services/ec2/ec2_instance_account_imdsv2_enabled/ec2_instance_account_imdsv2_enabled.metadata.json
index bc074fe730..7228d5dd59 100644
--- a/prowler/providers/aws/services/ec2/ec2_instance_account_imdsv2_enabled/ec2_instance_account_imdsv2_enabled.metadata.json
+++ b/prowler/providers/aws/services/ec2/ec2_instance_account_imdsv2_enabled/ec2_instance_account_imdsv2_enabled.metadata.json
@@ -34,7 +34,8 @@
     }
   },
   "Categories": [
-    "secrets"
+    "secrets",
+    "ec2-imdsv1"
   ],
   "DependsOn": [],
   "RelatedTo": [],
diff --git a/prowler/providers/aws/services/ec2/ec2_instance_imdsv2_enabled/ec2_instance_imdsv2_enabled.metadata.json b/prowler/providers/aws/services/ec2/ec2_instance_imdsv2_enabled/ec2_instance_imdsv2_enabled.metadata.json
index 5637f40e23..77d24a4820 100644
--- a/prowler/providers/aws/services/ec2/ec2_instance_imdsv2_enabled/ec2_instance_imdsv2_enabled.metadata.json
+++ b/prowler/providers/aws/services/ec2/ec2_instance_imdsv2_enabled/ec2_instance_imdsv2_enabled.metadata.json
@@ -36,7 +36,8 @@
   },
   "Categories": [
     "identity-access",
-    "secrets"
+    "secrets",
+    "ec2-imdsv1"
   ],
   "DependsOn": [],
   "RelatedTo": [],