Posted On: Oct 31, 2022
You can now set an EC2 Amazon Machine Image (AMI) to use Instance Metadata Service Version 2 (IMDSv2) by default. IMDSv2 is an enhancement to instance metadata access that requires session-oriented requests to add defense in depth against unauthorized metadata access. IMDSv2 requires a PUT request to initiate a session to the instance metadata service and retrieve a token. To set your instances as IMDSv2-only, you previously had to configure Instance Metadata Options during instance launch or update your instance after launch using the ModifyInstanceMetadataOptions API.
Now, by using the IMDS AMI property, you can set all new instances launched from the AMI will be IMDSv2-only by default. When you set this property to IMDSv2 supported, any instance launched with the AMI will use IMDSv2-only and sets your default hop limit to 2 to allow for containerized workload support.
To get started, after making sure your AMI uses IMDSv2 calls, register you AMI as supporting IMDSv2. You can manually override these settings using Instance Metadata option launch properties. You can also still use IAM controls to enforce different IMDS settings.
The new AMI IMDS property is now available in the Amazon Web Services China (Beijing) Region, operated by Sinnet, and the Amazon Web Services China (Ningxia) region, operated by NWCD.
To learn more about AMI properties, see the EC2 AMI API guide. For more information on IMDSv2, see the EC2 user guide.