Amazon EC2 IMDS

AWS/Amazon EC2

  • outline

You can receive various information about an instance from Amazon EC2 through instance metadata. Previously, IMDSv1 did not have authentication, but in IMDSv2, it was changed to token-based authentication. Starting with Amazon Linux 2023, IMDSv2 is applied by default, and IMDSv2 can be used in other AMIs by disabling IMDSv1.

  • timeline

November 2019 - We launched IMDSv2 and showed you how to use it to add defense in depth.

February 2020 - We began to verify that all newly published products from AWS Marketplace sellers and AWS Partners support IMDSv2.

March 2023 - We launched Amazon Linux 2023, which uses IMDSv2 by default for all launches.

September 2023 We published a blog post to show you how to Get the full benefits of IMDSv2 and disable IMDSv1 across your AWS infrastructure.

November 2023 Starting today, all console Quick Start launches will use IMDSv2-only (all Amazon and Partner Quick Start AMIs support this).

  • how-to
# Generate a Token 

TOKEN=curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600" 

# Use the token to generate top-level metadata items 

curl -H "X-aws-ec2-metadata-token: $TOKEN" -v http://169.254.169.254/latest/meta-data/
  • reference

Instance metadata and user data - Amazon Elastic Compute Cloud

How Instance Metadata Service Version 2 works - Amazon Elastic Compute Cloud

Add defense in depth against open firewalls, reverse proxies, and SSRF vulnerabilities with enhancements to the EC2 Instance Metadata Service | AWS Security Blog (amazon.com)