En utilisant AWS re:Post, vous acceptez les Conditions d’utilisation

Support Automation Workflow (SAW) Runbook: AWSSupport-ConfigureEC2Metadata

Lecture de 3 minute(s)
Intermédiaire
2

How can I use the AWSSupport-ConfigureEC2Metadata to configure the instance metadata service (IMDS) options for Amazon Elastic Compute Cloud (Amazon EC2) instances.

The AWSSupport-ConfigureEC2Metadata runbook helps you to configure the instance metadata service (IMDS) options for Amazon Elastic Compute Cloud (Amazon EC2) instances. It also helps you to configure the desired HTTP PUT response hop limit for instance metadata requests and allow or deny instance metadata access.

In this article, I will show you how to use the AWSSupport-ConfigureEC2Metadata runbook to enforce the use of IMDSv2 for instance metadata on your Amazon EC2 instance. This is useful when you want to change the instance metadata service between IMDSv1 and IMDSv2. For more information about instance metadata, see Configuring the instance metadata service in the Amazon EC2 User Guide for Linux Instances.

How it works?

By default, you can retrieve instance metadata from a running Amazon EC2 instance using either or both of the following methods:

  • Instance Metadata Service Version 1 (IMDSv1) – a request/response method
  • Instance Metadata Service Version 2 (IMDSv2) – a session-oriented method

Important: If you enforce IMDSv2, then IMDSv1 no longer works, and applications that use IMDSv1 might not function correctly. Before enforcing IMDSv2, verify that any applications that use Amazon EC2 metadata are upgraded to a version that supports IMDSv2. For more information about instance metadata, see Configure the instance metadata service.

Prerequisites

Before running the automation make sure your user or the IAM service role has the permissions listed in the Required IAM permissions section.

Instructions

  1. Navigate to the Systems Manager console
  2. In the navigation pane, choose Documents
  3. In the document search type AWSSupport-ConfigureEC2Metadata
  4. Click on the document AWSSupport-ConfigureEC2Metadata
  5. Choose Execute automation
  6. For the input parameters enter the following:
    • EnforceIMDSv2: required (If you choose required, the Amazon EC2 instance will only use IMDSv2. If you choose optional, you can choose between IMDSv1 and IMDSv2 for metadata access).
    • HttpPutResponseHopLimit: 1 (This is the desired HTTP PUT response hop limit value for instance metadata requests. This value controls the number of hops that the PUT response can traverse. To prevent the response from traveling outside of the instance, we specify 1 for the parameter value).
    • InstanceId (Required): The ID of the Amazon EC2 instance whose metadata settings you want to configure.
    • MetadataAccess: enabled (This value allows metadata access in the Amazon EC2 instance. If you specify disabled, all other parameters will be ignored and the metadata access will be denied for the instance).

Enter image description here

  1. Click on Execute
  2. You should see that the automation has been initiated
  3. If the execution completes you should see the following in the output:
    • describeMetadataOptions.State
    • describeMetadataOptions.MetadataAccess
    • describeMetadataOptions.IMDSv2
    • describeMetadataOptions.HttpPutResponseHopLimit

Runbook execution output

Conclusion

In In this article, I have shown how to enforce IMDSv2 by using the SAW runbook AWSSupport-ConfigureEC2Metadata, available in System Manager.

References

Systems Manager Automation

Run this Automation (console)

Running a simple automation: https://docs.aws.amazon.com/systems-manager/latest/userguide/automation-working-executing.html

Setting up Automation: https://docs.aws.amazon.com/systems-manager/latest/userguide/automation-setup.html

Documentation related to the AWS service

For more information how to run this runbook, please see the AWS public document: AWSSupport-ConfigureEC2Metadata.

Aucun commentaire

Contenus pertinents