Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

Would like to run AWSSupport-ConfigureEC2Metadata Automation document on all current and future instances.

0

I have been following the repost doc https://repost.aws/knowledge-center/ssm-ec2-enforce-imdsv2 to start to setup this automation. Then I noticed that I can have this run against all my accounts in all my regions. So I pass it my account numbers and select the regions but then it requires as Input the instance ids. How could I make this work for future instances? I would not know their IDs.

I am just trying to come up with a set it and forget it automation to change all instances over to IMDSv2.

Themen
KalkulationManagement & Unternehmensführung
Tags
Amazon EC2AWS Systemmanager
Sprache
English
rePost-User-7973960
gefragt vor 10 Monaten241 Aufrufe
1 Antwort
1

The repost doc is for already created instances to update them to imdsv2 via automation.

For future unknown instances, a solution is to create a launch template which enforces imdsv2 and then attach IAM policies to roles which launch instances to ensure imdsv2 is utilized (https://docs.aws.amazon.com/autoscaling/ec2/userguide/ec2-auto-scaling-launch-template-permissions.html#instance-metadata-requireIMDSv2).

In addition, if using control tower, there is a control that could be put in place to prevent launching without imdsv2: [CT.EC2.PR.1] Require an Amazon EC2 launch template to have IMDSv2 configured (https://docs.aws.amazon.com/controltower/latest/userguide/ec2-rules.html#ct-ec2-pr-1-description)

AWS
AWS-User-4219244
beantwortet vor 10 Monaten

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt