docs.aws.amazon.com
Open in
urlscan Pro
13.35.58.67
Public Scan
Submitted URL: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-IMDS-new-instances.html#configure-IMDS-new-instances
Effective URL: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-IMDS-new-instances.html
Submission: On November 25 via api from US — Scanned from DE
Effective URL: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-IMDS-new-instances.html
Submission: On November 25 via api from US — Scanned from DE
Form analysis 0 forms found in the DOM
Text Content
SELECT YOUR COOKIE PREFERENCES
We use essential cookies and similar tools that are necessary to provide our
site and services. We use performance cookies to collect anonymous statistics,
so we can understand how customers use our site and make improvements. Essential
cookies cannot be deactivated, but you can choose “Customize” or “Decline” to
decline performance cookies.
If you agree, AWS and approved third parties will also use cookies to provide
useful site features, remember your preferences, and display relevant content,
including relevant advertising. To accept or decline all non-essential cookies,
choose “Accept” or “Decline.” To make more detailed choices, choose “Customize.”
AcceptDeclineCustomize
CUSTOMIZE COOKIE PREFERENCES
We use cookies and similar tools (collectively, "cookies") for the following
purposes.
ESSENTIAL
Essential cookies are necessary to provide our site and services and cannot be
deactivated. They are usually set in response to your actions on the site, such
as setting your privacy preferences, signing in, or filling in forms.
PERFORMANCE
Performance cookies provide anonymous statistics about how customers navigate
our site so we can improve site experience and performance. Approved third
parties may perform analytics on our behalf, but they cannot use the data for
their own purposes.
Allow performance category
Allowed
FUNCTIONAL
Functional cookies help us provide useful site features, remember your
preferences, and display relevant content. Approved third parties may set these
cookies to provide certain site features. If you do not allow these cookies,
then some or all of these services may not function properly.
Allow functional category
Allowed
ADVERTISING
Advertising cookies may be set through our site by us or our advertising
partners and help us deliver relevant marketing content. If you do not allow
these cookies, you will experience less relevant advertising.
Allow advertising category
Allowed
Blocking some types of cookies may impact your experience of our sites. You may
review and change your choices at any time by selecting Cookie preferences in
the footer of this site. We and selected third-parties use cookies or similar
technologies as specified in the AWS Cookie Notice.
CancelSave preferences
UNABLE TO SAVE COOKIE PREFERENCES
We will only store essential cookies at this time, because we were unable to
save your cookie preferences.
If you want to change your cookie preferences, try again later using the link in
the AWS console footer, or contact support if the problem persists.
Dismiss
Contact Us
English
Create an AWS Account
Feedback
Preferences
AMAZON ELASTIC COMPUTE CLOUD
USER GUIDE
* What is Amazon EC2?
* Get started tutorial
* Best practices
* Amazon Machine Images
* AMI characteristics
* Determine the AMI root device type
* Find an AMI
* Paid AMIs in the AWS Marketplace
* Find a paid AMI
* Purchase a paid AMI
* Retrieve the product code
* Use paid support
* Manage your subscriptions
* AMI lifecycle
* Create an AMI
* Create an instance store-backed AMI
* Set up the AMI tools
* AMI tools reference
* Convert your instance store-backed AMI
* Create an AMI using Windows Sysprep
* Copy an AMI
* Permissions
* How AMI copy works
* Store and restore an AMI
* How AMI store and restore works
* Create a store image task
* Identify the source AMI
* Check when an AMI was last used
* Deprecate an AMI
* Disable an AMI
* Deregister an AMI
* Protect an AMI from deregistration
* Boot modes
* Requirements for UEFI boot mode
* AMI boot mode parameter
* Instance type boot mode
* Instance boot mode
* Operating system boot mode
* Set AMI boot mode
* UEFI variables
* UEFI Secure Boot
* How UEFI Secure Boot works
* Launch an instance with UEFI Secure Boot
* Verify if an instance is enabled for UEFI Secure Boot
* Create a Linux AMI with custom keys
* Create the AWS binary blob
* AMI encryption
* Shared AMIs
* Find shared AMIs
* Prepare to use shared AMIs for Linux
* Make your AMI public
* Block public access for AMIs
* Manage the block public access setting for AMIs
* Shared AMI use with organizations and OUs
* Get the ARN of an organization or organizational unit
* Allow organizations and OUs to use a KMS key
* Manage AMI sharing with an organization or OU
* Share an AMI with specific AWS accounts
* Cancel having an AMI shared with your account
* Recommendations for creating shared Linux AMIs
* Monitor AMI events
* Understand AMI billing
* AMI billing fields
* Find AMI billing information
* Verify AMI charges on your bill
* AMI quotas
* Instances
* Instance types
* Find an instance type
* EC2 instance type finder
* Compute Optimizer recommendations
* Instance type changes
* Compatibility
* Change the instance type
* Migrate to a new instance type
* Troubleshoot
* Burstable performance instances
* Key concepts
* Unlimited mode
* Concepts
* Examples
* Standard mode
* Concepts
* Examples
* Work with burstable performance instances
* Monitor your CPU credits
* GPU instances
* Activate NVIDIA GRID Virtual Applications
* Optimize GPU settings
* Set up dual 4K displays on G4ad
* Get started with GPU accelerated instances
* Mac instances
* Launch a Mac instance
* Connect to your Mac instance
* Update operating system and software
* Increase size of EBS volume
* Stop or terminate Mac instance
* Find supported macOS versions
* Subscribe to macOS AMI notifications
* Retrieve macOS AMI IDs
* macOS AMIs release notes
* EBS optimization
* Get maximum EBS performance
* Find EBS-optimized instance types
* Enable EBS optimization
* CPU options
* Rules for specifying CPU options for an Amazon EC2 instance
* Supported CPU options
* Specify CPU options
* View CPU options
* AMD SEV-SNP
* Check AMD SEV-SNP support on Amazon EC2 instances
* Attestation with AMD SEV-SNP
* Processor state control
* Billing and purchasing options
* On-Demand Instances
* Reserved Instances
* Regional and zonal Reserved Instances (scope)
* Types of Reserved Instances (offering classes)
* How Reserved Instance discounts are applied
* Use your Reserved Instances
* How billing works with Reserved Instances
* Buy Reserved Instances
* Sell Reserved Instances
* Modify Reserved Instances
* Exchange Convertible Reserved Instances
* Reserved Instance quotas
* Spot Instances
* Best practices
* How Spot Instances work
* View pricing history
* View savings
* Create a Spot Instance request
* Example launch specifications
* Get the status of a Spot Instance request
* State changes for a Spot request
* Tag Spot Instance requests
* Cancel a Spot Instance request
* Manage your Spot Instances
* Spot Instance interruptions
* Interruption behavior
* Prepare for interruptions
* Initiate an interruption
* Spot Instance interruption notices
* Find interrupted Spot Instances
* Determine whether Amazon EC2 terminated a Spot Instance
* Billing
* Rebalance recommendations
* Spot placement score
* How Spot placement score works
* Required permissions
* Calculate the Spot placement score
* Spot Instance data feed
* Service-linked role for Spot Instance requests
* Spot Instance quotas
* Dedicated Hosts
* Pricing and billing
* Instance capacity configurations
* Burstable instances on Dedicated Hosts
* Bring your own licenses
* Auto-placement and affinity
* Allocate a Dedicated Host
* Launch instances on a Dedicated Host
* Launch instances into a host resource group
* Modify Dedicated Host auto-placement
* Modify supported instance types
* Modify tenancy and affinity for an instance
* Release Dedicated Host
* Cross-account sharing
* Share a Dedicated Host
* Unshare a Dedicated Host
* View shared Dedicated Hosts
* Dedicated Hosts on Outposts
* Allocate Dedicated Host on Outpost
* Host recovery
* How host recovery works
* Manage host recovery
* View host recovery setting
* Manually recovery unsupported instances
* Host maintenance
* How host maintenance works
* Configure host maintenance
* Monitor Dedicated Hosts
* Track configuration changes
* Dedicated Instances
* Launch Dedicated Instances into VPC
* Change the tenancy of an instance
* Change the tenancy of a VPC
* Capacity Reservations
* On-Demand Capacity Reservations
* Concepts for Amazon EC2 Capacity Reservations
* Pricing and billing
* Create a Capacity Reservation
* View the state of a Capacity Reservation
* Launch instances into Capacity Reservation
* Modify Capacity Reservation
* Modify instance Capacity Reservation settings
* Move capacity
* Split off capacity
* Cancel a Capacity Reservation
* Capacity Reservation groups
* Create a group
* Add Capacity Reservation to group
* Remove Capacity Reservation from group
* Delete group
* Create Capacity Reservations in cluster placement groups
* Capacity Reservations in Local Zones
* Capacity Reservations in Wavelength Zones
* Capacity Reservations on AWS Outposts
* Shared Capacity Reservations
* Share a Capacity Reservation
* Stop sharing a Capacity Reservation
* Billing assignment
* Assign billing
* View billing assignment requests
* Accept or reject billing
* Cancel or revoke requests
* Monitor requests
* Capacity Reservation Fleets
* Concepts and planning
* Create
* View
* Modify
* Cancel
* Example configurations
* Using service-linked roles
* Monitor with CloudWatch metrics
* Monitor using EventBridge
* Utilization notifications
* Capacity Blocks for ML
* Pricing and billing
* Work with Capacity Blocks
* Find and purchase
* Launch instances into Capacity Blocks
* View
* Extend
* Monitor using EventBridge
* Logging API calls with CloudTrail
* Launch templates
* Restrictions
* Permissions
* Control launching instances
* Create
* Modify (manage versions)
* Delete
* Launch an instance
* Tutorials
* Tutorial 1: Launch my first instance
* Tutorial 2: Launch a test instance
* Instance parameter reference
* Launch using the launch instance wizard
* Launch using a launch template
* Launch from an existing instance
* Launch from an AWS Marketplace AMI
* Connect to your instance
* General connection prerequisites
* Connect to your Linux instance using SSH
* Connect using an SSH client
* Connect using PuTTY
* Transfer files using SCP
* Manage Linux system users
* Connect to your Windows instance using RDP
* Connect using an RDP client
* Connect using Fleet Manager
* Transfer files using RDP
* Connect using Session Manager
* Connect using EC2 Instance Connect
* Tutorial
* Prerequisites
* Permissions
* Install EC2 Instance Connect
* Connect to an instance
* Uninstall EC2 Instance Connect
* Connect using EC2 Instance Connect Endpoint
* Permissions
* Security groups
* Create an EC2 Instance Connect Endpoint
* Connect to an instance
* Log connections
* Delete an EC2 Instance Connect Endpoint
* Service-linked role
* Quotas
* Instance state changes
* Stop and start
* How it works
* Enable stop protection
* Hibernate
* How it works
* Prerequisites
* Configure a Linux AMI to support hibernation
* Enable instance hibernation
* Disable KASLR on an instance (Ubuntu only)
* Hibernate an instance
* Start a hibernated instance
* Troubleshoot
* Reboot
* Terminate
* How it works
* Enable termination protection
* Change the instance initiated shutdown behavior
* Preserve data when an instance is terminated
* Retire
* Instance resiliency
* CloudWatch action based recovery
* Simplified automatic recovery
* Instance metadata
* Access instance metadata
* IMDS
* Limit access to IMDS
* Configure IMDS options
* For new instances
* For existing instances
* Run commands at launch
* Example: AMI launch index value
* Detect whether a host is an EC2 instance
* Instance identity documents
* Retrieve the instance identity document
* Verify instance identity document
* Public certificates
* Clock synchronization
* Use the local Amazon Time Sync Service
* Use the public Amazon Time Sync Service
* Compare timestamps for your Linux instances
* Change the time zone of your instance
* Manage device drivers
* AMD drivers
* NVIDIA drivers
* Install the ENA driver on Windows
* ENA Windows driver releases
* Windows PV drivers
* Upgrade PV drivers
* Troubleshoot PV drivers
* AWS NVMe drivers
* NVMe Windows driver releases
* Configure Windows instances
* Windows launch agents
* Configure DNS Suffix
* Subscribe to SNS notifications
* Migrate to EC2Launch v2
* Windows Service administration
* EC2Launch v2
* Install EC2Launch v2
* Configure EC2Launch v2
* Task definitions
* Troubleshoot EC2Launch v2
* Version histories
* EC2Launch
* Install EC2Launch
* Configure EC2Launch
* Version history
* EC2Config service
* Install EC2Config
* Configure proxy settings
* Set EC2Config service properties
* Troubleshoot EC2Config
* Version history
* EC2 Fast Launch for Windows
* EC2 Fast Launch prerequisites
* Configure EC2 Fast Launch settings
* View EC2 Fast Launch AMIs
* Manage resource costs
* Monitor EC2 Fast Launch
* Service-linked role
* Change the Windows Administrator password
* Add Windows System components
* Install WSL on Windows
* Windows utilities
* Windows Utility Driver releases
* Upgrade Windows instances
* Perform an in-place upgrade
* Perform an automated upgrade
* Migrate to a Nitro-based instance type
* Troubleshoot an upgrade
* Tutorial: Connect EC2 instance to RDS database
* Option 1: Automatically connect using EC2 console
* Option 2: Automatically connect using RDS console
* Option 3: Manually connect
* Fleets
* Which fleet method to use?
* Configuration options
* Request types
* EC2 Fleet 'instant' type
* Spending limit
* Attribute-based instance type selection
* Instance weighting
* Allocation strategies
* Capacity Rebalancing
* Capacity Reservations
* Work with EC2 Fleet
* EC2 Fleet request states
* Create an EC2 Fleet
* Tag an EC2 Fleet
* Describe an EC2 Fleet
* Modify an EC2 Fleet
* Delete an EC2 Fleet
* Work with Spot Fleet
* Spot Fleet request states
* Create a Spot Fleet
* Tag a Spot Fleet
* Describe a Spot Fleet
* Modify a Spot Fleet request
* Cancel (delete) a Spot Fleet request
* Automatic scaling for Spot Fleet
* IAM permissions
* Target tracking scaling
* Step scaling
* Scheduled scaling
* Monitor your fleet
* Monitor your fleet using CloudWatch
* Monitor your fleet using EventBridge
* Tutorials
* Tutorial: Configure EC2 Fleet to use instance weighting
* Tutorial: Configure EC2 Fleet to use On-Demand Instances as the primary
capacity
* Tutorial: Configure EC2 Fleet to launch On-Demand Instances using
targeted Capacity Reservations
* Tutorial: Configure your EC2 Fleet to launch instances into Capacity
Blocks
* Example CLI configurations for EC2 Fleet
* Example CLI configurations Spot Fleet
* Fleet quotas
* Networking
* Regions and Zones
* Instance IP addressing
* IPv4 addresses
* IPv6 addresses
* Multiple IP addresses
* Multiple IPv4 addresses on Windows
* Instance hostname types
* Change resource based naming options
* Bring your own IP addresses
* Prerequisites
* Onboard your address range
* Use your address range
* Elastic IP addresses
* Associate an Elastic IP address
* Transfer an Elastic IP address
* Release an Elastic IP address
* Use reverse DNS for email applications
* Network interfaces
* IP addresses per network interface
* Create a network interface
* Network interface attachments
* Manage IP addresses
* Modify network interface attributes
* Multiple network interfaces
* Requester-managed network interfaces
* Prefix delegation
* Manage prefixes
* Delete a network interface
* Network bandwidth
* Enhanced networking
* Elastic Network Adapter (ENA)
* ENA Express
* Review instance settings
* Configure instance settings
* Intel 82599 VF
* Monitor network performance
* Troubleshoot ENA on Linux
* Troubleshoot ENA on Windows
* Improve network latency on Linux
* Nitro performance considerations
* Optimize network performance on Windows
* Elastic Fabric Adapter
* Get started with EFA and MPI
* Get started with EFA and NCCL
* Maximize network bandwidth
* Create and attach an EFA
* Detach and delete an EFA
* Monitor an EFA
* Verify the EFA installer
* Instance topology
* How it works
* Prerequisites
* Examples
* Placement groups
* Placement strategies
* Create a placement group
* Change instance placement
* Delete a placement group
* Shared placement groups
* Placement groups on AWS Outposts
* Network MTU
* Set the MTU for your instances
* Virtual private clouds
* Security
* Data protection
* Infrastructure security
* Resilience
* Compliance validation
* Identity and access management
* Identity-based policies
* Example policies for the API
* Example policies for the console
* AWS managed policies
* IAM roles
* Retrieve security credentials
* Permissions to attach a role to an instance
* Attach a role to an instance
* Update management
* Best practices for Windows instances
* Key pairs
* Create a key pair
* Tag a key pair
* Describe your key pairs
* Delete your key pair
* Add or replace a public key on your Linux instance
* Verify the fingerprint
* Security groups
* Create a security group
* Change security groups for your instance
* Delete a security group
* Connection tracking
* Security group rules for different use cases
* NitroTPM
* Requirements
* Enable a Linux AMI for NitroTPM
* Verify that an AMI is enabled for NitroTPM
* Enable or stop using NitroTPM
* Verify that an instance is enabled for NitroTPM
* Retrieve the public endorsement key
* Credential Guard for Windows instances
* AWS PrivateLink
* Storage
* Amazon EBS
* EBS volume limits
* Amazon EC2 instance store
* Data persistence
* Instance store limits
* SSD instance store volumes
* Add instance store volumes
* Add instance store volumes to an AMI
* Add instance store volumes to an instance
* Make instance store volumes available for use
* Enable swap volume for M1 and C1 instances
* Initialize instance store volumes
* Root volumes
* Keep root volume after instance termination
* Replace a root volume
* Device names for volumes
* Block device mappings
* Add block device mapping to AMI
* Add block device mapping to instance
* How volumes are attached and mapped for Windows instances
* Map NVME disks to volumes
* Map non-NVME disks to volumes
* Torn write prevention
* Supported block sizes
* Requirements
* Check instance support
* Configure workload
* Windows VSS EBS snapshots
* VSS prerequisites
* IAM permissions
* VSS components
* Create VSS snapshots
* Use Systems Manager command documents
* Troubleshoot VSS snapshots
* Restore EBS volumes
* Version history
* Object storage, file storage, and file caching
* Amazon S3
* Amazon EFS
* Amazon FSx
* Amazon File Cache
* Manage resources
* Select a Region for your resources
* Find your resources
* Amazon EC2 Global View
* Tag your resources
* Tag resource permissions
* Add and remove tags
* Filter resources by tag
* View tags using instance metadata
* Service quotas
* Monitor resources
* Monitor the status of your instances
* Status checks
* View status checks
* Create status check alarms
* State change events
* Create alarm for instance state changes
* Scheduled events
* Recommended actions for scheduled events
* View scheduled events
* Customize scheduled event notifications
* Reschedule scheduled events
* Create custom event windows
* Monitor your instances using CloudWatch
* Instance alarms
* Manage detailed monitoring
* CloudWatch metrics
* Install and configure the CloudWatch agent
* Statistics for metrics
* Get statistics for a specific instance
* Aggregate statistics across instances
* Aggregate statistics by Auto Scaling group
* Aggregate statistics by AMI
* View monitoring graphs
* Create an alarm
* Create alarms that stop, terminate, reboot, or recover an instance
* Amazon CloudWatch alarm action scenarios
* Automate using EventBridge
* Log API calls using CloudTrail
* Monitor .NET and SQL Server applications
* Track your Free Tier usage
* Troubleshoot
* Instance launch issues
* Instance stop issues
* Instance termination issues
* Unreachable instances
* Common screenshots for Windows instances
* Linux instance SSH issues
* Linux instance failed status checks
* Linux instance boots from wrong volume
* Windows instance RDP issues
* Windows instance start issues
* Windows instance issues
* Reset Windows administrator password
* Reset password using EC2Launch v2
* Reset password using EC2Launch
* Reset password using EC2Config
* Troubleshoot Sysprep issues
* EC2Rescue for Linux instances
* Install EC2Rescue
* Run EC2Rescue commands
* Develop EC2Rescue modules
* EC2Rescue for Windows instances
* Troubleshoot using EC2Rescue GUI
* Troubleshoot using EC2Rescue CLI
* Troubleshoot using EC2Rescue and Systems Manager
* EC2 Serial Console
* Prerequisites
* Configure access to the EC2 Serial Console
* Connect to the EC2 Serial Console
* Disconnect from the EC2 Serial Console
* Troubleshoot your instance using the EC2 Serial Console
* Send diagnostic interrupts
* Document history
1. AWS
2. ...
3. Documentation
4. Amazon EC2
5. User Guide
1. AWS
2. Documentation
3. Amazon EC2
4. User Guide
CONFIGURE INSTANCE METADATA OPTIONS FOR NEW INSTANCES
PDF
RSS
Focus mode
ON THIS PAGE
1. Require the use of IMDSv2
2. Enable the IMDS IPv4 and IPv6 endpoints
3. Turn off access to instance metadata
4. Allow access to tags in instance metadata
RELATED RESOURCES
Amazon EC2 Instance Types Guide
Amazon EBS User Guide
Amazon EC2 Developer Guide
DID THIS PAGE HELP YOU?
Yes
No
Provide feedback
Configure instance metadata options for new instances - Amazon Elastic Compute
Cloud
AWSDocumentationAmazon EC2User Guide
Require the use of IMDSv2Enable the IMDS IPv4 and IPv6 endpointsTurn off access
to instance metadataAllow access to tags in instance metadata
You can configure the following instance metadata options for new instances.
OPTIONS
* Require the use of IMDSv2
* Enable the IMDS IPv4 and IPv6 endpoints
* Turn off access to instance metadata
* Allow access to tags in instance metadata
REQUIRE THE USE OF IMDSV2
You can use the following methods to require the use of IMDSv2 on your new
instances.
TO REQUIRE IMDSV2
* Set IMDSv2 as the default for the account
* Configure the instance at launch
* Configure the AMI
* Use an IAM policy
SET IMDSV2 AS THE DEFAULT FOR THE ACCOUNT
You can set the default version for the instance metadata service (IMDS) at the
account level for each AWS Region. This means that when you launch a new
instance, the instance metadata version is automatically set to the
account-level default. However, you can manually override the value at launch or
after launch. For more information about how the account-level settings and
manual overrides affect an instance, see Order of precedence for instance
metadata options.
NOTE
Setting the account-level default does not reset existing instances. For
example, if you set the account-level default to IMDSv2, any existing instances
that are set to IMDSv1 are not affected. If you want to change the value on
existing instances, you must manually change the value on the instances
themselves.
You can set the account default for the instance metadata version to IMDSv2 so
that all new instances in the account launch with IMDSv2 required, and IMDSv1
will be disabled. With this account default, when you launch an instance, the
following are the default values for the instance:
* Console: Metadata version is set to V2 only (token required) and Metadata
response hop limit is set to 2.
* AWS CLI: HttpTokens is set to required and HttpPutResponseHopLimit is set to
2.
NOTE
Before setting the account default to IMDSv2, ensure that your instances do not
depend on IMDSv1. For more information, see Recommended path to requiring
IMDSv2.
Console
TO SET IMDSV2 AS THE DEFAULT FOR THE ACCOUNT FOR THE SPECIFIED REGION
1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
2. To change the AWS Region, use the Region selector in the upper-right corner
of the page.
3. In the navigation pane, choose EC2 Dashboard.
4. Under Account attributes, choose Data protection and security.
5. Next to IMDS defaults, choose Manage.
6. On the Manage IMDS defaults page, do the following:
1. For Instance metadata service, choose Enabled.
2. For Metadata version, choose V2 only (token required).
3. For Metadata response hop limit, specify 2 if your instances will host
containers. Otherwise, select No preference. When no preference is
specified, at launch, the value defaults to 2 if the AMI requires IMDSv2;
otherwise it defaults to 1.
4. Choose Update.
AWS CLI
TO SET IMDSV2 AS THE DEFAULT FOR THE ACCOUNT FOR THE SPECIFIED REGION
Use the modify-instance-metadata-defaults command and specify the Region in
which to modify the IMDS account level settings. Include --http-tokens set to
required and --http-put-response-hop-limit set to 2 if your instances will host
containers. Otherwise, specify -1 to indicate no preference. When -1 (no
preference) is specified, at launch, the value defaults to 2 if the AMI requires
IMDSv2; otherwise it defaults to 1.
aws ec2 modify-instance-metadata-defaults \
--region us-east-1 \
--http-tokens required \
--http-put-response-hop-limit 2
Expected output
{
"Return": true
}
TO VIEW THE DEFAULT ACCOUNT SETTINGS FOR THE INSTANCE METADATA OPTIONS FOR THE
SPECIFIED REGION
Use the get-instance-metadata-defaults command and specify the Region.
aws ec2 get-instance-metadata-defaults --region us-east-1
Example output
{
"AccountLevel": {
"HttpTokens": "required",
"HttpPutResponseHopLimit": 2
}
}
TO SET IMDSV2 AS THE DEFAULT FOR THE ACCOUNT FOR ALL REGIONS
Use the modify-instance-metadata-defaults command to modify the IMDS account
level settings for all Regions. Include --http-tokens set to required and
--http-put-response-hop-limit set to 2 if your instances will host containers.
Otherwise, specify -1 to indicate no preference. When -1 (no preference) is
specified, at launch, the value defaults to 2 if the AMI requires IMDSv2;
otherwise it defaults to 1.
echo -e "Region \t Modified" ; \
echo -e "-------------- \t ---------" ; \
for region in $(
aws ec2 describe-regions \
--region us-east-1 \
--query "Regions[*].[RegionName]" \
--output text
);
do (output=$(
aws ec2 modify-instance-metadata-defaults \
--region $region \
--http-tokens required \
--http-put-response-hop-limit 2 \
--output text)
echo -e "$region \t $output"
);
done
Expected output
Region Modified
-------------- ---------
ap-south-1 True
eu-north-1 True
eu-west-3 True
...
TO VIEW THE DEFAULT ACCOUNT SETTINGS FOR THE INSTANCE METADATA OPTIONS FOR ALL
REGIONS
Use the get-instance-metadata-defaults command.
echo -e "Region \t Level Hops HttpTokens" ; \
echo -e "-------------- \t ------------ ---- ----------" ; \
for region in $(
aws ec2 describe-regions \
--region us-east-1 \
--query "Regions[*].[RegionName]" \
--output text
);
do (output=$(
aws ec2 get-instance-metadata-defaults \
--region $region \
--output text)
echo -e "$region \t $output"
);
done
Expected output
Region Level Hops HttpTokens
-------------- ------------ ---- ----------
ap-south-1 ACCOUNTLEVEL 2 required
eu-north-1 ACCOUNTLEVEL 2 required
eu-west-3 ACCOUNTLEVEL 2 required
...
PowerShell
TO SET IMDSV2 AS THE DEFAULT FOR THE ACCOUNT FOR THE SPECIFIED REGION
Use the Edit-EC2InstanceMetadataDefault command and specify the Region in which
to modify the IMDS account level settings. Include -HttpToken set to required
and -HttpPutResponseHopLimit set to 2 if your instances will host containers.
Otherwise, specify -1 to indicate no preference. When -1 (no preference) is
specified, at launch, the value defaults to 2 if the AMI requires IMDSv2;
otherwise it defaults to 1.
Edit-EC2InstanceMetadataDefault `
-Region us-east-1 `
-HttpToken required `
-HttpPutResponseHopLimit 2
Expected output
True
TO VIEW THE DEFAULT ACCOUNT SETTINGS FOR THE INSTANCE METADATA OPTIONS FOR THE
SPECIFIED REGION
Use the Get-EC2InstanceMetadataDefault command and specify the Region.
Get-EC2InstanceMetadataDefault -Region us-east-1 | Format-List
Example output
HttpEndpoint :
HttpPutResponseHopLimit : 2
HttpTokens : required
InstanceMetadataTags :
TO SET IMDSV2 AS THE DEFAULT FOR THE ACCOUNT FOR ALL REGIONS
Use the Edit-EC2InstanceMetadataDefault Cmdlet to modify the IMDS account level
settings for all Regions. Include -HttpToken set to required and
-HttpPutResponseHopLimit set to 2 if your instances will host containers.
Otherwise, specify -1 to indicate no preference. When -1 (no preference) is
specified, at launch, the value defaults to 2 if the AMI requires IMDSv2;
otherwise it defaults to 1.
(Get-EC2Region).RegionName | `
ForEach-Object {
[PSCustomObject]@{
Region = $_
Modified = (Edit-EC2InstanceMetadataDefault `
-Region $_ `
-HttpToken required `
-HttpPutResponseHopLimit 2)
}
} | `
Format-Table Region, Modified -AutoSize
Expected output
Region Modified
------ --------
ap-south-1 True
eu-north-1 True
eu-west-3 True
...
TO VIEW THE DEFAULT ACCOUNT SETTINGS FOR THE INSTANCE METADATA OPTIONS FOR ALL
REGIONS
Use the Get-EC2InstanceMetadataDefault Cmdlet.
(Get-EC2Region).RegionName | `
ForEach-Object {
[PSCustomObject]@{
Region = $_
HttpPutResponseHopLimit = (Get-EC2InstanceMetadataDefault -Region $_).HttpPutResponseHopLimit
HttpTokens = (Get-EC2InstanceMetadataDefault -Region $_).HttpTokens
}
} | `
Format-Table -AutoSize
Example output
Region HttpPutResponseHopLimit HttpTokens
------ ----------------------- ----------
ap-south-1 2 required
eu-north-1 2 required
eu-west-3 2 required
...
anchoranchoranchor
* Console
* AWS CLI
* PowerShell
TO SET IMDSV2 AS THE DEFAULT FOR THE ACCOUNT FOR THE SPECIFIED REGION
1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
2. To change the AWS Region, use the Region selector in the upper-right corner
of the page.
3. In the navigation pane, choose EC2 Dashboard.
4. Under Account attributes, choose Data protection and security.
5. Next to IMDS defaults, choose Manage.
6. On the Manage IMDS defaults page, do the following:
1. For Instance metadata service, choose Enabled.
2. For Metadata version, choose V2 only (token required).
3. For Metadata response hop limit, specify 2 if your instances will host
containers. Otherwise, select No preference. When no preference is
specified, at launch, the value defaults to 2 if the AMI requires IMDSv2;
otherwise it defaults to 1.
4. Choose Update.
CONFIGURE THE INSTANCE AT LAUNCH
When you launch an instance, you can configure the instance to require the use
of IMDSv2 by configuring the following fields:
* Amazon EC2 console: Set Metadata version to V2 only (token required).
* AWS CLI: Set HttpTokens to required.
When you specify that IMDSv2 is required, you must also enable the Instance
Metadata Service (IMDS) endpoint by setting Metadata accessible to Enabled
(console) or HttpEndpoint to enabled (AWS CLI).
In a container environment, when IMDSv2 is required, we recommend setting the
hop limit to 2. For more information, see Instance metadata access
considerations.
Console
TO REQUIRE THE USE OF IMDSV2 ON A NEW INSTANCE
* When launching a new instance in the Amazon EC2 console, expand Advanced
details, and do the following:
* For Metadata accessible, choose Enabled.
* For Metadata version, choose V2 only (token required).
* (Container environment) For Metadata response hop limit, choose 2.
For more information, see Advanced details.
AWS CLI
TO REQUIRE THE USE OF IMDSV2 ON A NEW INSTANCE
The following run-instances example launches a c6i.large instance with
--metadata-options set to HttpTokens=required. When you specify a value for
HttpTokens, you must also set HttpEndpoint to enabled. Because the secure token
header is set to required for metadata retrieval requests, this requires the
instance to use IMDSv2 when requesting instance metadata.
In a container environment, when IMDSv2 is required, we recommend setting the
hop limit to 2 with HttpPutResponseHopLimit=2.
aws ec2 run-instances \
--image-id ami-0abcdef1234567890 \
--instance-type c6i.large \
...
--metadata-options "HttpEndpoint=enabled,HttpTokens=required,HttpPutResponseHopLimit=2"
PowerShell
TO REQUIRE THE USE OF IMDSV2 ON A NEW INSTANCE
The following New-EC2Instance Cmdlet example launches a c6i.large instance with
MetadataOptions_HttpEndpoint set to enabled and the MetadataOptions_HttpTokens
parameter to required. When you specify a value for HttpTokens, you must also
set HttpEndpoint to enabled. Because the secure token header is set to required
for metadata retrieval requests, this requires the instance to use IMDSv2 when
requesting instance metadata.
New-EC2Instance `
-ImageId ami-0abcdef1234567890 `
-InstanceType c6i.large `
-MetadataOptions_HttpEndpoint enabled `
-MetadataOptions_HttpTokens required
AWS CloudFormation
To specify the metadata options for an instance using AWS CloudFormation, see
the AWS::EC2::LaunchTemplate MetadataOptions property in the AWS CloudFormation
User Guide.
anchoranchoranchoranchor
* Console
* AWS CLI
* PowerShell
* AWS CloudFormation
TO REQUIRE THE USE OF IMDSV2 ON A NEW INSTANCE
* When launching a new instance in the Amazon EC2 console, expand Advanced
details, and do the following:
* For Metadata accessible, choose Enabled.
* For Metadata version, choose V2 only (token required).
* (Container environment) For Metadata response hop limit, choose 2.
For more information, see Advanced details.
CONFIGURE THE AMI
When you register a new AMI or modify an existing AMI, you can set the
imds-support parameter to v2.0. Instances launched from this AMI will have
Metadata version set to V2 only (token required) (console) or HttpTokens set to
required (AWS CLI) . With these settings, the instance requires that IMDSv2 is
used when requesting instance metadata.
Note that when you set imds-support to v2.0, instances launched from this AMI
will also have Metadata response hop limit (console) or
http-put-response-hop-limit (AWS CLI) set to 2.
IMPORTANT
Do not use this parameter unless your AMI software supports IMDSv2. After you
set the value to v2.0, you can't undo it. The only way to "reset" your AMI is to
create a new AMI from the underlying snapshot.
TO CONFIGURE A NEW AMI FOR IMDSV2
Use one of the following methods to configure a new AMI for IMDSv2.
AWS CLI
The following register-image example registers an AMI using the specified
snapshot of an EBS root volume as device /dev/xvda. Specify v2.0 for the
imds-support parameter so that instances launched from this AMI will require
that IMDSv2 is used when requesting instance metadata.
aws ec2 register-image \
--name my-image \
--root-device-name /dev/xvda \
--block-device-mappings DeviceName=/dev/xvda,Ebs={SnapshotId=snap-0123456789example} \
--architecture x86_64 \
--imds-support v2.0
PowerShell
The following Register-EC2Image Cmdlet example registers an AMI using the
specified snapshot of an EBS root volume as device /dev/xvda. Specify v2.0 for
the ImdsSupport parameter so that instances launched from this AMI will require
that IMDSv2 is used when requesting instance metadata.
Register-EC2Image `
-Name 'my-image' `
-RootDeviceName /dev/xvda `
-BlockDeviceMapping (
New-Object `
-TypeName Amazon.EC2.Model.BlockDeviceMapping `
-Property @{
DeviceName = '/dev/xvda';
EBS = (New-Object -TypeName Amazon.EC2.Model.EbsBlockDevice -Property @{
SnapshotId = 'snap-0123456789example'
VolumeType = 'gp3'
} )
} ) `
-Architecture X86_64 `
-ImdsSupport v2.0
anchoranchor
* AWS CLI
* PowerShell
The following register-image example registers an AMI using the specified
snapshot of an EBS root volume as device /dev/xvda. Specify v2.0 for the
imds-support parameter so that instances launched from this AMI will require
that IMDSv2 is used when requesting instance metadata.
aws ec2 register-image \
--name my-image \
--root-device-name /dev/xvda \
--block-device-mappings DeviceName=/dev/xvda,Ebs={SnapshotId=snap-0123456789example} \
--architecture x86_64 \
--imds-support v2.0
TO CONFIGURE AN EXISTING AMI FOR IMDSV2
Use one of the following methods to configure an existing AMI for IMDSv2.
AWS CLI
The following modify-image-attribute example modifies an existing AMI for IMDSv2
only. Specify v2.0 for the imds-support parameter so that instances launched
from this AMI will require that IMDSv2 is used when requesting instance
metadata.
aws ec2 modify-image-attribute \
--image-id ami-0123456789example \
--imds-support v2.0
PowerShell
The following Edit-EC2ImageAttribute Cmdlet example modifies an existing AMI for
IMDSv2 only. Specify v2.0 for the imds-support parameter so that instances
launched from this AMI will require that IMDSv2 is used when requesting instance
metadata.
Edit-EC2ImageAttribute `
-ImageId ami-0abcdef1234567890 `
-ImdsSupport 'v2.0'
anchoranchor
* AWS CLI
* PowerShell
The following modify-image-attribute example modifies an existing AMI for IMDSv2
only. Specify v2.0 for the imds-support parameter so that instances launched
from this AMI will require that IMDSv2 is used when requesting instance
metadata.
aws ec2 modify-image-attribute \
--image-id ami-0123456789example \
--imds-support v2.0
USE AN IAM POLICY
You can create an IAM policy that prevents users from launching new instances
unless they require IMDSv2 on the new instance.
TO ENFORCE THE USE OF IMDSV2 ON ALL NEW INSTANCES BY USING AN IAM POLICY
To ensure that users can only launch instances that require the use of IMDSv2
when requesting instance metadata, you can specify that the condition to require
IMDSv2 must be met before an instance can be launched. For the example IAM
policy, see Work with instance metadata.
ENABLE THE IMDS IPV4 AND IPV6 ENDPOINTS
The IMDS has two endpoints on an instance: IPv4 (169.254.169.254) and IPv6
([fd00:ec2::254]). When you enable the IMDS, the IPv4 endpoint is automatically
enabled. The IPv6 endpoint remains disabled even if you launch an instance into
an IPv6-only subnet. To enable the IPv6 endpoint, you need to do so explicitly.
When you enable the IPv6 endpoint, the IPv4 endpoint remains enabled.
You can enable the IPv6 endpoint at instance launch or after.
REQUIREMENTS FOR ENABLING THE IPV6 ENDPOINT
* The selected instance type is a Nitro-based instance.
* The selected subnet supports IPv6, where the subnet is either dual stack or
IPv6 only.
Use any of the following methods to launch an instance with the IMDS IPv6
endpoint enabled.
Console
TO ENABLE THE IMDS IPV6 ENDPOINT AT INSTANCE LAUNCH
* Launch the instance in the Amazon EC2 console with the following specified
under Advanced details:
* For Metadata IPv6 endpoint, choose Enabled.
For more information, see Advanced details.
AWS CLI
TO ENABLE THE IMDS IPV6 ENDPOINT AT INSTANCE LAUNCH
The following run-instances example launches a c6i.large instance with the IPv6
endpoint enabled for the IMDS. To enable the IPv6 endpoint, for the
--metadata-options parameter, specify HttpProtocolIpv6=enabled. When you specify
a value for HttpProtocolIpv6, you must also set HttpEndpoint to enabled.
aws ec2 run-instances \
--image-id ami-0abcdef1234567890 \
--instance-type c6i.large \
...
--metadata-options "HttpEndpoint=enabled,HttpProtocolIpv6=enabled"
PowerShell
TO ENABLE THE IMDS IPV6 ENDPOINT AT INSTANCE LAUNCH
The following New-EC2Instance Cmdlet example launches a c6i.large instance with
the IPv6 endpoint enabled for the IMDS. To enable the IPv6 endpoint, specify
MetadataOptions_HttpProtocolIpv6 as enabled. When you specify a value for
MetadataOptions_HttpProtocolIpv6, you must also set MetadataOptions_HttpEndpoint
to enabled.
New-EC2Instance `
-ImageId ami-0abcdef1234567890 `
-InstanceType c6i.large `
-MetadataOptions_HttpEndpoint enabled `
-MetadataOptions_HttpProtocolIpv6 enabled
anchoranchoranchor
* Console
* AWS CLI
* PowerShell
TO ENABLE THE IMDS IPV6 ENDPOINT AT INSTANCE LAUNCH
* Launch the instance in the Amazon EC2 console with the following specified
under Advanced details:
* For Metadata IPv6 endpoint, choose Enabled.
For more information, see Advanced details.
TURN OFF ACCESS TO INSTANCE METADATA
You can turn off access to the instance metadata by disabling the IMDS when you
launch an instance. You can turn on access later by re-enabling the IMDS. For
more information, see Turn on access to instance metadata.
IMPORTANT
You can choose to disable the IMDS at launch or after launch. If you disable the
IMDS at launch, the following might not work:
* You might not have SSH access to your instance. The
public-keys/0/openssh-key, which is your instance's public SSH key, will not
be accessible because the key is normally provided and accessed from EC2
instance metadata.
* EC2 user data will not be available and will not run at instance start. EC2
user data is hosted on the IMDS. If you disable the IMDS, you effectively
turn off access to user data.
To access this functionality, you can re-enable the IMDS after launch.
Console
TO TURN OFF ACCESS TO INSTANCE METADATA AT LAUNCH
* Launch the instance in the Amazon EC2 console with the following specified
under Advanced details:
* For Metadata accessible, choose Disabled.
For more information, see Advanced details.
AWS CLI
TO TURN OFF ACCESS TO INSTANCE METADATA AT LAUNCH AT LAUNCH
Launch the instance with --metadata-options set to HttpEndpoint=disabled.
aws ec2 run-instances \
--image-id ami-0abcdef1234567890 \
--instance-type c6i.large \
...
--metadata-options "HttpEndpoint=disabled"
PowerShell
TO TURN OFF ACCESS TO INSTANCE METADATA AT LAUNCH AT LAUNCH
The following New-EC2Instance Cmdlet example launches an instance with
MetadataOptions_HttpEndpoint set to disabled.
New-EC2Instance `
-ImageId ami-0abcdef1234567890 `
-InstanceType c6i.large `
-MetadataOptions_HttpEndpoint disabled
AWS CloudFormation
To specify the metadata options for an instance using AWS CloudFormation, see
the AWS::EC2::LaunchTemplate MetadataOptions property in the AWS CloudFormation
User Guide.
anchoranchoranchoranchor
* Console
* AWS CLI
* PowerShell
* AWS CloudFormation
TO TURN OFF ACCESS TO INSTANCE METADATA AT LAUNCH
* Launch the instance in the Amazon EC2 console with the following specified
under Advanced details:
* For Metadata accessible, choose Disabled.
For more information, see Advanced details.
ALLOW ACCESS TO TAGS IN INSTANCE METADATA
By default, instance tags are not accessible in the instance metadata. For each
instance, you must explicitly allow access. If access is allowed, instance tag
keys must comply with specific character restrictions, otherwise the instance
launch will fail. For more information, see Allow access to tags in instance
metadata.
Javascript is disabled or is unavailable in your browser.
To use the Amazon Web Services Documentation, Javascript must be enabled. Please
refer to your browser's Help pages for instructions.
Document Conventions
Configure IMDS options
For existing instances
Did this page help you? - Yes
Thanks for letting us know we're doing a good job!
If you've got a moment, please tell us what we did right so we can do more of
it.
Did this page help you? - No
Thanks for letting us know this page needs work. We're sorry we let you down.
If you've got a moment, please tell us how we can make the documentation better.
NEXT TOPIC:
For existing instances
PREVIOUS TOPIC:
Configure IMDS options
NEED HELP?
* Try AWS re:Post
* Connect with an AWS IQ expert
PrivacySite termsCookie preferences
© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.