IMDSv2 upgrade problem
I am trying to upgrade my old EC2 instances from IMDSv1 to IMDSv2. When I go to Cloud Watch log and check my instances' MetadataNoToken metric, seems like all EC2 instances calling IMDS server every 30 mins. Since it looks a heartbeat checking rather than an intentionally call, do anyone know if it is a default heartbeat checking from EC2?
- Newest
- Most votes
- Most comments
Hello,
Kindly note that 'MetadataNoToken' Cloudwatch metric is used to determine if there are any processes accessing instance metadata that are using Instance Metadata Service Version 1, which does not use a token. If all requests use token-backed sessions, i.e., Instance Metadata Service Version 2, the value will be 0. Hence based on the above metric, we can see that IMDSv1 is being used for your instance. Typically, AWS CLI, SDKs, any automation scripts, packages etc can trigger these IMDv1 calls.
While there is no direct way to determine the exact process or service that is using the IMDSv1, we can suggest you a workaround by making use of "aws-imds-packet-analyzer" tool which may be helpful for you to identify sources of IMDSv1 calls on your EC2 instances, Please refer below documentation for more information:
[+] https://aws.amazon.com/about-aws/whats-new/2023/06/imds-packet-analyzer-simplifies-migration-imdsv2/
Relevant content
- Accepted Answerasked 10 months ago
AWS OFFICIALUpdated 3 months ago- AWS OFFICIALUpdated 8 months ago
- AWS OFFICIALUpdated 2 years ago
