How can I use Systems Manager automation to enforce that only IMDSv2 is used to access instance metadata from my Amazon EC2 instance?

3 minute read
0

I want to use Instance Metadata Service Version 2 (IMDSv2) to access instance metadata from my Amazon Elastic Compute Cloud (Amazon EC2) instance. How do I enforce IMDSv2 on my Amazon EC2 instance?

Short description

By default, you can retrieve instance metadata from a running Amazon EC2 instance using either or both of the following methods:

  • Instance Metadata Service Version 1 (IMDSv1) – a request/response method
  • Instance Metadata Service Version 2 (IMDSv2) – a session-oriented method

To require the use of IMDSv2 on an instance, you can run the AWS Systems Manager AWSSupport-ConfigureEC2Metadata Automation document.

Important: If you enforce IMDSv2, then IMDSv1 no longer works, and applications that use IMDSv1 might not function correctly. Before enforcing IMDSv2, verify that any applications that use Amazon EC2 metadata are upgraded to a version that supports IMDSv2. For more information about instance metadata, see Configure the instance metadata service.

Resolution

Prerequisites

To run the automation and read the output, you must have ssm:StartAutomationExecution and ssm:GetAutomationExecution permissions.

Run the AWSSupport-ConfigureEC2Metadata Automation document

  1. Open the Systems Manager console, and then choose Automation from the navigation pane.
  2. Choose Execute automation.
  3. On the Owned by Amazon tab, for Automation document, enter AWSSupport-ConfigureEC2Metadata, and then press Enter.
  4. Select the radio button for the AWSSupport-ConfigureEC2Metadata document, and then choose Next.
  5. For Execute automation document, choose Simple execution.
    Note: If you need to run the automation on multiple targets, then choose Rate Control.
  6. For Input parameters, specify the following parameters:
    InstanceId: Enter the ID of the Amazon EC2 instance that you want to configure metadata settings for.
    HttpPutResponseHopLimit: Leave as 0 to retain the current value, or enter your desired value (1-64).
    EnforceIMDSv2: Choose required.
    MetadataAccess Choose enabled.
  7. (Optional) For AutomationAssumeRole, choose a role. If a role isn't specified, then Systems Manager Automation uses the permissions of the user that runs the document.
    Note: To change the target Amazon EC2 instance, the AutomationAssumeRole or user role must have ec2:ModifyInstanceMetadataOptions and ec2:DescribeInstances permissions. For more information about creating the assume role for Systems Manager Automation, see Create a service role for Automation.
  8. Choose Execute.

You can also use the AWSSupport-ConfigureEC2Metadata document to change other Amazon EC2 instance metadata. For example, you can turn off metadata or change the value of the HttpPutResponseHopLimit attribute. For more information, see AWSSupport-ConfigureEC2Metadata.


Related information

Retrieve instance metadata

AWS OFFICIAL
AWS OFFICIALUpdated 3 years ago