- Newest
- Most votes
- Most comments
Hello,
Kindly note that 'MetadataNoToken' Cloudwatch metric is used to determine if there are any processes accessing instance metadata that are using Instance Metadata Service Version 1, which does not use a token. If all requests use token-backed sessions, i.e., Instance Metadata Service Version 2, the value will be 0. Hence based on the above metric, we can see that IMDSv1 is being used for your instance. Typically, AWS CLI, SDKs, any automation scripts, packages etc can trigger these IMDv1 calls.
While there is no direct way to determine the exact process or service that is using the IMDSv1, we can suggest you a workaround by making use of "aws-imds-packet-analyzer" tool which may be helpful for you to identify sources of IMDSv1 calls on your EC2 instances, Please refer below documentation for more information:
[+] https://aws.amazon.com/about-aws/whats-new/2023/06/imds-packet-analyzer-simplifies-migration-imdsv2/
Relevant content
- Accepted Answerasked 10 months ago
- AWS OFFICIALUpdated 3 months ago
- AWS OFFICIALUpdated 8 months ago
- AWS OFFICIALUpdated 2 years ago