Configure instance metadata options for new instances
Topics
Require the use of IMDSv2
There are various ways that you can require that IMDSv2 is used on an instance at launch, as follows:
Configure the instance at launch
When you launch an instance, you can configure the instance to require the use of IMDSv2 by configuring the following fields:
-
Amazon EC2 console: Set Metadata version to V2 only (token required).
-
Amazon CLI: Set
HttpTokenstorequired.
When you specify that IMDSv2 is required, you must also enable the Instance Metadata Service (IMDS)
endpoint by setting Metadata accessible to
Enabled (console) or HttpEndpoint to
enabled (Amazon CLI).
Configure the AMI
When you register a new AMI or modify an existing AMI, you can set the
imds-support parameter to v2.0. Instances
launched from this AMI will have Metadata version set
to V2 only (token required) (console) or
HttpTokens set to required (Amazon CLI) . With
these settings, the instance requires that IMDSv2 is used when
requesting instance metadata.
Note that when you set imds-support to v2.0, instances launched
from this AMI will also have Metadata response hop
limit (console) or http-put-response-hop-limit
(Amazon CLI) set to 2.
Important
Do not use this parameter unless your AMI software supports IMDSv2. After you set
the value to v2.0, you can't undo it. The only way to
"reset" your AMI is to create a new AMI from the underlying
snapshot.
To configure a new AMI for IMDSv2
The following register-image example registers an AMI using the specified
snapshot of an EBS root volume as device /dev/xvda. Specify
v2.0 for the imds-support parameter so
that instances launched from this AMI will require that IMDSv2
is used when requesting instance metadata.
aws ec2 register-image \ --namemy-image\ --root-device-name /dev/xvda \ --block-device-mappings DeviceName=/dev/xvda,Ebs={SnapshotId=snap-0123456789example} \ --imds-support v2.0
To configure an existing AMI for IMDSv2
The following modify-image-attribute example modifies an existing AMI for
IMDSv2 only. Specify v2.0 for the
imds-support parameter so that instances launched from
this AMI will require that IMDSv2 is used when requesting
instance metadata.
aws ec2 modify-image-attribute \ --image-idami-0123456789example\ --imds-support v2.0
Use an IAM policy
You can create an IAM policy that prevents users from launching new instances unless they require IMDSv2 on the new instance.
To enforce the use of IMDSv2 on all new instances by using an IAM policy
To ensure that users can only launch instances that require the use of IMDSv2 when requesting instance metadata, you can specify that the condition to require IMDSv2 must be met before an instance can be launched. For the example IAM policy, see Work with instance metadata.
Configure IPv4 and IPv6 endpoints
By default, the IPv6 endpoint is disabled. This is true even if you are launching an instance into an IPv6-only subnet. You can choose to enable the IPv6 endpoint at instance launch when using the Amazon CLI. This option is not available in the Amazon EC2 console.
The IPv6 endpoint for the IMDS is only accessible on Instances built on the Nitro System.
Configure IPv4 and IPv6 endpoints
The following run-instances example launches a
t3.large instance with the IPv6 endpoint enabled for the
IMDS. To enable the IPv6 endpoint, for the
--metadata-options parameter, specify
HttpProtocolIpv6=enabled. When you specify a value for
HttpProtocolIpv6, you must also set
HttpEndpoint to enabled.
aws ec2 run-instances \ --image-idami-0abcdef1234567890\ --instance-typet3.large\ ... --metadata-options "HttpEndpoint=enabled,HttpProtocolIpv6=enabled"
Turn off access to instance metadata
You can ensure that access to your instance metadata is turned off, regardless of which version of the IMDS you are using. You can turn on access later. For more information, see Turn on access to instance metadata.