Amazon EC2 Instance Metadata and Instance Metadata Service Version 2 (IMDSv2)

Commvault uses Instance Metadata Service to request Amazon EC2 instance metadata.

Disabling Instance Metadata Service Version 1 (IMDSv1)

Add the bAWSDisableIMDSv1 additional setting (set it to true) on the access node to ensure that IMDSv1 is not used within the Commvault Cloud software.

Enforcing IMDSv2 Instance Metadata by Using IAM Policy

You can use AWS IAM condition keys in an IAM policy or an Service Control Policy (SCP) to allow an instance to launch only if it's configured to require the use of IMDSv2.

Example of an SCP policy that requires IMDSv2 instance metadata only:


  "Version": "2012-10-17",

      "Statement": [


      "Sid": "RequireImdsV2",

      "Effect": "Deny",

      "Action": "ec2:RunInstances",

      "Resource": "arn:aws:ec2:*:*:instance/*",

      "Condition": {

        "StringNotEquals": {

          "ec2:MetadataHttpTokens": "required"