Would like to run AWSSupport-ConfigureEC2Metadata Automation document on all current and future instances.

Question

I have been following the repost doc https://repost.aws/knowledge-center/ssm-ec2-enforce-imdsv2 to start to setup this automation. Then I noticed that I can have this run against all my accounts in all my regions. So I pass it my account numbers and select the regions but then it requires as Input the instance ids. How could I make this work for future instances? I would not know their IDs.

I am just trying to come up with a set it and forget it automation to change all instances over to IMDSv2.

Answer

The repost doc is for already created instances to update them to imdsv2 via automation.

For future unknown instances, a solution is to create a launch template which enforces imdsv2 and then attach IAM policies to roles which launch instances to ensure imdsv2 is utilized (https://docs.aws.amazon.com/autoscaling/ec2/userguide/ec2-auto-scaling-launch-template-permissions.html#instance-metadata-requireIMDSv2).

In addition, if using control tower, there is a control that could be put in place to prevent launching without imdsv2:
[CT.EC2.PR.1] Require an Amazon EC2 launch template to have IMDSv2 configured (https://docs.aws.amazon.com/controltower/latest/userguide/ec2-rules.html#ct-ec2-pr-1-description)

Would like to run AWSSupport-ConfigureEC2Metadata Automation document on all current and future instances.

관련 콘텐츠