Configuring IMDSv2

Updated

Commvault software supports the use of IMDSv2. You can configure the access nodes by following these guidelines:

  • Use IMDSv2 (HttpTokens=required)

  • Use IMDSv1/IMDSv2 (HttpTokens=optional)

Using IAM Conditions Keys

Additionally, you can use IAM condition keys in an IAM policy or SCP policy to allow an instance to launch only if it's configured to require the use of IMDSv2.

If you are using IAM conditions or an SCP policy to limit the launch of IMDSv2 instance, add the bAWSDisableIMDSv1 additional setting (set it to true) on the access node.

Here's an example of an SCP policy:

{

"Version": "2012-10-17",

"Statement": [

{

"Sid": "RequireImdsV2",

"Effect": "Deny",

"Action": "ec2:RunInstances",

"Resource": "arn:aws:ec2:*:*:instance/*",

"Condition": {

"StringNotEquals": {

"ec2:MetadataHttpTokens": "required"

}

}

}

]

}

For more information about AWS instance metadata options, see Configuring the instance metadata options.