AWSConfigRemediation-EnforceEC2InstanceIMDSv2 - Amazon Systems Manager Automation runbook reference
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

AWSConfigRemediation-EnforceEC2InstanceIMDSv2

Description

The AWSConfigRemediation-EnforceEC2InstanceIMDSv2 runbook requires the Amazon Elastic Compute Cloud (Amazon EC2) instance you specify to use Instance Metadata Service Version 2 (IMDSv2).

Run this Automation (console)

Document type

Automation

Owner

Amazon

Platforms

Linux, macOS, Windows

Parameters

  • InstanceId

    Type: String

    Description: (Required) The ID of the Amazon EC2 instance you want to require to use IMDSv2.

  • AutomationAssumeRole

    Type: String

    Description: (Required) The Amazon Resource Name (ARN) of the Amazon Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf.

  • HttpPutResponseHopLimit

    Type: Integer

    Description: (Optional) The Hop response limit from the IMDS service back to the requester. Set to 2 or greater for EC2 instances hosting containers. Set to 0 to not change (Default).

    Allowed pattern: ^([1-5]?\d|6[0-4])$

    Default: 0

Required IAM permissions

The AutomationAssumeRole parameter requires the following actions to use the runbook successfully.

  • ssm:StartAutomationExecution

  • ssm:GetAutomationExecution

  • ec2:DescribeInstances

  • ec2:ModifyInstanceMetadataOptions

Document Steps

  • aws:executeScript - Sets the HttpTokens option to required on the Amazon EC2 instance you specify in the InstanceId parameter.

  • aws:assertAwsResourceProperty - Verifies IMDSv2 is required on the Amazon EC2 instance.