By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Would like to run AWSSupport-ConfigureEC2Metadata Automation document on all current and future instances.

0

I have been following the repost doc https://repost.aws/knowledge-center/ssm-ec2-enforce-imdsv2 to start to setup this automation. Then I noticed that I can have this run against all my accounts in all my regions. So I pass it my account numbers and select the regions but then it requires as Input the instance ids. How could I make this work for future instances? I would not know their IDs.

I am just trying to come up with a set it and forget it automation to change all instances over to IMDSv2.

Topics
ComputeManagement & Governance
Tags
Amazon EC2AWS Systems Manager
Language
English
rePost-User-7973960
asked 9 months ago230 views
1 Answer
1

The repost doc is for already created instances to update them to imdsv2 via automation.

For future unknown instances, a solution is to create a launch template which enforces imdsv2 and then attach IAM policies to roles which launch instances to ensure imdsv2 is utilized (https://docs.aws.amazon.com/autoscaling/ec2/userguide/ec2-auto-scaling-launch-template-permissions.html#instance-metadata-requireIMDSv2).

In addition, if using control tower, there is a control that could be put in place to prevent launching without imdsv2: [CT.EC2.PR.1] Require an Amazon EC2 launch template to have IMDSv2 configured (https://docs.aws.amazon.com/controltower/latest/userguide/ec2-rules.html#ct-ec2-pr-1-description)

AWS
AWS-User-4219244
answered 9 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content