Instance Metadata Service (IMDS) provides information about the instance itself and can be used to generate security credentials to access AWS. The service provides information about the instance like the instance ID, SSH public keys, and external and internal IP addresses. When an instance profile is attached to the instance, IMDS allows for the generation of temporary credentials that can be used to access other cloud resources.
Version 1 of IMDS is deemed to be insecure as there is no authentication requirement to fetch data from the IMDS endpoint. This can allow an attacker to gain access to sensitive information present within the metadata service.
Version 2 requires a token and is recommended to be used to prevent unauthorised access to the endpoint.
In this article we will walk through the steps to update an EC2 instance from IMDSv1 to IMDSv2 using AWS CLI.
You can also watch a quick hands-on video for updating IMDSv1 to IMDSv2.
To update your EC2 instance from IMDSv1 to IMDSv2 using AWS CLI, follow the steps below:
To check the IMDS version for an instance, run following command
aws ec2 describe-instances --region=<REGION> --query Reservations[*].Instances[*].MetadataOptions
In our case, we can see two outputs in the following screenshot as we have two EC2 instances. Here we can see HTTP endpoint is enabled and HTTP Tokens is optional for both the instances, it means IMDS version 1 is enabled for both
To demonstrate how we can update an instance from IMDSv1 to IMDSv2, we will select one of these instances and note down its instance ID
aws ec2 describe-instances --region=<REGION> --query Reservations[*].Instances[*].InstanceId
Or
To get the full view of which instance has IMDSv1 or not you can also run the following command. This will give detailed information about all the EC2 instances in the selected region
aws ec2 describe-instances --region=<REGION> --query Reservations[*].Instances
To enable IMDS version 2 on the selected instance, run the following command. In the parameters, HTTP endpoint must be set as enabled and HTTP Tokens must be set as required
aws ec2 modify-instance-metadata-options --instance-id <INSTANCE ID> --http-endpoint enabled --http-tokens required --region=<REGION>
Run the command in Step 1 again to check if the instance has been successfully updated to IMDSv2