Security Hub Question

Before setting the IMDSv2 for the EC2 instance, check CloudWatch metric MetadataNoToken. This metric shows th.e number of IMDSv1 calls to the IMDS on your instances. If the metric MetadataNoToken records zero IMDSv1 usage, you can follow these options for updating existing EC2 instances:

1. From the Amazon EC2 console: select the EC2 instance, choose Actions --> Instance settings --> Modify instance metadata options --> for IMDSv2, select Required.
2. For EC2 instances created from Launch Templates, modify the MetadataOptions parameter in the Launch Template to require use of IMDSv2
3. From AWS CLI: Use the modify-instance-metadata-options CLI command to specify that only IMDSv2 is to be used.

If the metric MetadataNoToken shows IMDSv1 usage, update the SDKs, CLIs, and your software that use Role credentials on their EC2 instances to versions compatible with IMDSv2.

Reference: Transition to using Instance Metadata Service Version 2