IMDSv2 upgrade problem
I am trying to upgrade my old EC2 instances from IMDSv1 to IMDSv2. When I go to Cloud Watch log and check my instances' MetadataNoToken metric, seems like all EC2 instances calling IMDS server every 30 mins. Since it looks a heartbeat checking rather than an intentionally call, do anyone know if it is a default heartbeat checking from EC2?
- 最新
- 投票最多
- 评论最多
Hello,
Kindly note that 'MetadataNoToken' Cloudwatch metric is used to determine if there are any processes accessing instance metadata that are using Instance Metadata Service Version 1, which does not use a token. If all requests use token-backed sessions, i.e., Instance Metadata Service Version 2, the value will be 0. Hence based on the above metric, we can see that IMDSv1 is being used for your instance. Typically, AWS CLI, SDKs, any automation scripts, packages etc can trigger these IMDv1 calls.
While there is no direct way to determine the exact process or service that is using the IMDSv1, we can suggest you a workaround by making use of "aws-imds-packet-analyzer" tool which may be helpful for you to identify sources of IMDSv1 calls on your EC2 instances, Please refer below documentation for more information:
[+] https://aws.amazon.com/about-aws/whats-new/2023/06/imds-packet-analyzer-simplifies-migration-imdsv2/
相关内容
AWS 官方已更新 1 年前- AWS 官方已更新 1 年前
- AWS 官方已更新 1 年前
