Posted On: Oct 3, 2022
You can now set an EC2 Amazon Machine Image (AMI) to use Instance Metadata Service Version 2 (IMDSv2) by default. IMDSv2 is an enhancement to instance metadata access that requires session-oriented requests to add defense in depth against unauthorized metadata access. IMDSv2 requires a PUT request to initiate a session to the instance metadata service and retrieve a token. To set your instances as IMDSv2-only, you previously had to configure Instance Metadata Options during instance launch or update your instance after launch using the ModifyInstanceMetadataOptions API.
Now, by using the IMDS AMI property, you can set all new instances launched from the AMI to be IMDSv2-only by default. When you set this property to IMDSv2 supported, any instance launched with the AMI will use IMDSv2-only and your default hop limit will be set to 2 to allow for containerized workload support..
To get started, register your AMI to set this property to IMDSv2. You can still manually override these settings and enable IMDSv1 using Instance Metadata option launch properties. You can also still use IAM controls to enforce different IMDS settings.
The new IMDS AMI property is now available in all AWS Regions and AWS GovCloud (US).
To learn more about the new IMDS AMI property, see IMDSv2 user guide.