Posted On: Mar 27, 2024

You can now set all new Amazon EC2 instance launches in your account to use Instance Metadata Service Version 2 (IMDSv2) by default. IMDSv2 is an enhancement that requires session-oriented requests to add defense in depth against unauthorized metadata access. To set your instances to IMDSv2-only, you previously had to use the IMDS Amazon Machine Image (AMI) property, set Instance Metadata Options during instance launch, or update instances after launch using the ModifyInstanceMetadataOptions API.

Now, when enabled, any new instances launched from your account will be IMDSv2-only by default. IMDS default settings are specific to individual Amazon Web Services regions in your account. Also available is a new CloudWatch metric MetadataNoTokenRejected indicating the number of times an IMDSv1 call was attempted and rejected after IMDSv1 is disabled. This metric can be used to make sure software on your instance is not attempting IMDSv1 calls after requiring IMDSv2.

To get started, use the EC2 console or enable IMDS defaults with a single API call per region. Enabling these defaults do not affect any existing instances in your account. You can still manually override these settings and enable IMDSv1 using Instance Metadata option launch properties. You can also still use IAM controls to enforce different IMDS settings. For example IAM policies, see Work with instance metadata.

The new IMDS account defaults are now available in the Amazon Web Services China (Beijing) Region, operated by Sinnet, and the Amazon Web Services China (Ningxia) Region, operated by NWCD.

To learn more about the new IMDS account defaults and the MetadataNoTokenRejected CloudWatch metric, see the IMDSv2 user guide.