How can I use Systems Manager automation to enforce only IMDSv2 access to my EC2 instance metadata?

2 minute read

I want to use only Instance Metadata Service Version 2 (IMDSv2) to access instance metadata from my Amazon Elastic Compute Cloud (Amazon EC2) instance.

Short description

By default, you use one or both of the following methods to retrieve instance metadata from a running Amazon EC2 instance:

Instance Metadata Service Version 1 (IMDSv1), a request/response method
IMDSv2, a session-oriented method

To require the use of IMDSv2 on an instance, run the AWS Systems Manager AWSSupport-ConfigureEC2Metadata runbook.

Important: When you enforce IMDSv2, you deactivate IMDSv1. This might affect applications that rely on IMDSv1. Before you enforce IMDSv2, make sure that all applications that use Amazon EC2 metadata are compatible with IMDSv2. For additional guidance on implementation best practices, see Recommended path to requiring IMDSv2.

Resolution

Prerequisites: To run the automation and read the output, you must have ssm:StartAutomationExecution and ssm:GetAutomationExecution permissions.

Run the AWSSupport-ConfigureEC2Metadata automation and choose Simple execution for Execute mode. Or, choose Rate control to run the automation on multiple targets. Then, configure the following settings for Input parameters:

For InstanceId, enter the ID of your EC2 instance.
For HttpPutResponseHopLimit, keep the default 0 to retain the current value. Or, enter a new value between 1 and 64.
For EnforceIMDSv2, choose required.
For MetadataAccess, choose enabled.
(Optional) For AutomationAssumeRole, choose a role. If you don't specify a role, then the automation uses the permissions of the user that runs the document.
Note: To change the target EC2 instance, the AutomationAssumeRole or user role must have ec2:ModifyInstanceMetadataOptions and ec2:DescribeInstances permissions. For more information about how to configure roles, see Create the service roles for Automation using the console.

Related information

Access instance metadata for an EC2 instance

Topics: Management & Governance
Tags: AWS Systems Manager
Language: English

AWS OFFICIALUpdated 7 months ago

2 Comments

Is it possible to add multiple instances when configuring metadata settings?

Abdul Moeed Mohammed

replied 2 years ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

MODERATOR

AWS Official

replied 2 years ago

Relevant content

Would like to run AWSSupport-ConfigureEC2Metadata Automation document on all current and future instances.
rePost-User-7973960
asked 2 years ago
Defaul Host Mangement Confiuration and IMDSv2
francesd919
asked 2 years ago
Planning to migrate instance metadata from IMDSv1 to IMDSv2
Accepted Answer
Rajesh Khanna B
asked 2 years ago
IMDSv2 upgrade problem
rePost-User-4492945
asked 2 years ago
Are there any unintended side effects of disabling the EC2 instance metadata service endpoint (both IMDSv1 & IMDSv2)?
Accepted Answer
Victor Feinman
asked 4 years ago
How do I automate the creation of AMIs based on my EBS-backed EC2 instance using Systems Manager Automation?
AWS OFFICIALUpdated 4 years ago
How do I use Patch Manager patch policies to automate Linux updates on my EC2 instance?
AWS OFFICIALUpdated 7 months ago
How do I configure instance metadata and activate tags on my EC2 instance?
AWS OFFICIALUpdated 5 months ago
How do I manage RDP settings on a managed Amazon EC2 Windows instance?
AWS OFFICIALUpdated a year ago
Support Automation Workflow (SAW) Runbook: AWSSupport-ConfigureEC2Metadata
EXPERT
Maya Karalic
published 3 years ago