AWSConfigRemediation-EnforceEC2InstanceIMDSv2 - Amazon Systems Manager Automation runbook reference
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).



The AWSConfigRemediation-EnforceEC2InstanceIMDSv2 runbook requires the Amazon Elastic Compute Cloud (Amazon EC2) instance you specify to use Instance Metadata Service Version 2 (IMDSv2).

Run this Automation (console)

Document type





Linux, macOS, Windows


  • InstanceId

    Type: String

    Description: (Required) The ID of the Amazon EC2 instance you want to require to use IMDSv2.

  • AutomationAssumeRole

    Type: String

    Allowed values: ^arn:(?:aws|aws-us-gov|aws-cn):iam::\d{12}:role\/[\w+=,.@/-]+$

    Description: (Required) The Amazon Resource Name (ARN) of the Amazon Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf.

Required IAM permissions

The AutomationAssumeRole parameter requires the following actions to successfully use the runbook.

  • ssm:StartAutomationExecution

  • ssm:GetAutomationExecution

  • ec2:DescribeInstances

  • ec2:ModifyInstanceMetadataOptions

Document Steps

  • aws:executeScript - Sets the HttpTokens option to required on the Amazon EC2 instance you specify in the InstanceId parameter.

  • aws:assertAwsResourceProperty - Verifies IMDSv2 is required on the Amazon EC2 instance.