1 Answer
- Newest
- Most votes
- Most comments
1
The repost doc is for already created instances to update them to imdsv2 via automation.
For future unknown instances, a solution is to create a launch template which enforces imdsv2 and then attach IAM policies to roles which launch instances to ensure imdsv2 is utilized (https://docs.aws.amazon.com/autoscaling/ec2/userguide/ec2-auto-scaling-launch-template-permissions.html#instance-metadata-requireIMDSv2).
In addition, if using control tower, there is a control that could be put in place to prevent launching without imdsv2: [CT.EC2.PR.1] Require an Amazon EC2 launch template to have IMDSv2 configured (https://docs.aws.amazon.com/controltower/latest/userguide/ec2-rules.html#ct-ec2-pr-1-description)
answered a year ago
Relevant content
- asked 3 months ago
- asked 10 months ago
- AWS OFFICIALUpdated 3 years ago