1 Answer
- Newest
- Most votes
- Most comments
0
Behind the scenes as per the documentaiton the various AWS SDKs (as long are they are recent!) support both IMDSv1 and IMDSv2. IMDSv2 is definitely preferred but both will work.
You're right - it's going to be quite difficult to determine which processes/applications on an EC2 instance are calling IMDS - that's going to require software on the instance that tracks "outbound" TCP connections then inspects those going to IMDS to determine what HTTP verb it is using. It's highly possible there are libraries which use IMDSv1 as a preference but will use IMDSv2 when v1 isn't available but the only way to be sure is ti test - or look at the source code.
Relevant content
- asked 4 months ago
- AWS OFFICIALUpdated 7 months ago
- AWS OFFICIALUpdated a year ago
Thanks for the answer! just to clarify im fully aware of the SDK scenario, but we have no code running on the instance, we are only running a simple 3rd party solution that is not EC2 nor aws specific. This behaviour is observed on a couple of different instances. Does using an amazon-linux ami have any effect at all, im mean does it utilize any meta data at all, by default ?
There are likely tools and automated scripts running on the instance that do access IMDS. A good example would be the CloudWatch agent.