By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

AWS Services That Use EC2 Instance MetaData by Default

0

I have been trying to see what services could be utilizing IMDSv1 or v2 by default, but could not find resources that could list any of those services, if any. We are switching all of our instances from IMDSv2 being optional to required (only allowing the use of IMDSv2). For some instances and prior to switching from v1 to v2, where we are sure we are not leveraging the meta data in any way within the instance, I can still see consistent use of the IMDSv1, by using the AWS recommend way of tracking the MetadataNoToken metric in CloudWatch. At this point not sure if there is any way to track what could be utilizing the metadata for those instances, and constantly, on almost equal intervals.

Saw an answer here, that is somewhat helpful, but would like to better understand what could possibly be happening behind the scenes. https://repost.aws/questions/QU28Zq5Ge0Q5WJF27HPNMhoA/are-there-any-unintended-side-effects-of-disabling-the-ec-2-instance-metadata-service-endpoint-both-imd-sv-1-imd-sv-2

Topics
Compute
Tags
Amazon EC2
Language
English
Ziad
asked a year ago590 views
1 Answer
0

Behind the scenes as per the documentaiton the various AWS SDKs (as long are they are recent!) support both IMDSv1 and IMDSv2. IMDSv2 is definitely preferred but both will work.

You're right - it's going to be quite difficult to determine which processes/applications on an EC2 instance are calling IMDS - that's going to require software on the instance that tracks "outbound" TCP connections then inspects those going to IMDS to determine what HTTP verb it is using. It's highly possible there are libraries which use IMDSv1 as a preference but will use IMDSv2 when v1 isn't available but the only way to be sure is ti test - or look at the source code.

profile pictureAWS
EXPERT
Brettski-AWS
answered a year ago
  • Ziad
    a year ago

    Thanks for the answer! just to clarify im fully aware of the SDK scenario, but we have no code running on the instance, we are only running a simple 3rd party solution that is not EC2 nor aws specific. This behaviour is observed on a couple of different instances. Does using an amazon-linux ami have any effect at all, im mean does it utilize any meta data at all, by default ?

  • Brettski-AWS EXPERT
    a year ago

    There are likely tools and automated scripts running on the instance that do access IMDS. A good example would be the CloudWatch agent.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content