> Essential > Virtualization > Amazon EC2 > Configuring Protection > Advanced Configuration

IMDSv2 for Amazon EC2 Access Nodes

You can configure Instance Metadata Service Version 2 (IMDSv2) for Amazon EC2 access nodes.

Use one of the following:

  • IMDSv2 (HttpTokens=required)

  • IMDSv1/IMDSv2 (HttpTokens=optional)

IAM Condition Keys

You can use IAM condition keys in an IAM policy or an SCP policy to allow an instance to launch only if it's configured to require the use of IMDSv2. If do this, add the bAWSDisableIMDSv1 additional setting (set it to true) on the access node.

Example of an SCP policy:

{
  "Version": "2012-10-17",
      "Statement": [
    {
      "Sid": "RequireImdsV2",
      "Effect": "Deny",
      "Action": "ec2:RunInstances",
      "Resource": "arn:aws:ec2:*:*:instance/*",
      "Condition": {
        "StringNotEquals": {
          "ec2:MetadataHttpTokens": "required"
        }
      }
    }
  ]
}

Configuring the instance metadata options in the AWS documentation

Loading...