You can configure Instance Metadata Service Version 2 (IMDSv2) for Amazon EC2 access nodes.
Use one of the following:
-
IMDSv2 (HttpTokens=required)
-
IMDSv1/IMDSv2 (HttpTokens=optional)
IAM Condition Keys
You can use IAM condition keys in an IAM policy or an SCP policy to allow an instance to launch only if it's configured to require the use of IMDSv2. If do this, add the bAWSDisableIMDSv1 additional setting (set it to true) on the access node.
Example of an SCP policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "RequireImdsV2",
"Effect": "Deny",
"Action": "ec2:RunInstances",
"Resource": "arn:aws:ec2:*:*:instance/*",
"Condition": {
"StringNotEquals": {
"ec2:MetadataHttpTokens": "required"
}
}
}
]
}
Related Topics
Configuring the instance metadata options in the AWS documentation