Commvault uses Instance Metadata Service to request Amazon EC2 instance metadata.
Disabling Instance Metadata Service Version 1 (IMDSv1)
Add the bAWSDisableIMDSv1 additional setting (set it to true) on the access node to ensure that IMDSv1 is not used within the Commvault Cloud software.
Enforcing IMDSv2 Instance Metadata by Using IAM Policy
You can use AWS IAM condition keys in an IAM policy or an Service Control Policy (SCP) to allow an instance to launch only if it's configured to require the use of IMDSv2.
Example of an SCP policy that requires IMDSv2 instance metadata only:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "RequireImdsV2",
"Effect": "Deny",
"Action": "ec2:RunInstances",
"Resource": "arn:aws:ec2:*:*:instance/*",
"Condition": {
"StringNotEquals": {
"ec2:MetadataHttpTokens": "required"
}
}
}
]
}
Related Topics
-
Amazon EC2 Instance Metadata Service IMDSv2 by default an AWS news blog
-
Configuring the instance metadata options in the AWS documentation