AWS::EC2::Instance - MetadataOptions

[michaelwittig]

1. AWS::EC2::Instance-MetadataOptions

2. Scope of request

Add support to configure the EC2 IMDS to support:

• Enable/disable the endpoint
• Set the HTTP response hop limit
• Make HTTP tokens optional (default) or required (disables IMDSv1)

3. Expected behavior

Allow CloudFormation to launch EC2 instance with IMDS disabled or restricted to v2.

5. Helpful Links to speed up research and evaluation

• Description of IMDS: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html
• create: MetadataOptions attribute of https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_RunInstances.html
• update: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifyInstanceMetadataOptions.html

6. Category

1. Compute (EC2, ECS, EKS, Lambda...)

7. Context

related #273 for for WS::AutoScaling::LaunchConfiguration

[0xdabbad00]

Looks like this is now possible via Launch Templates: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-launchtemplate-launchtemplatedata.html#cfn-ec2-launchtemplate-launchtemplatedata-metadataoptions

[mildebrandt]

@0xdabbad00 Right, that has been true for quite a while. This issue is to add it to the AWS::EC2::Instance type: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-instance.html

[coreylane]

Any update?

[yoroto]

Any update?

[fortygigserver]

This would also be useful to set the feature "instance-metadata-tags" to enabled

[r-azh]

I agree this is a useful feature to set the feature "instance-metadata-tags" to enabled.

[kenlawrie1]

Hi, any update on this? Having to use launch templates to enable ImdsV2 on EC2 instance is causing us issues.
Launch template don't allow tags with spaces, and our SCP policies fail if we enforce both tags and ImdsV2 at the same time, hopefully when this CloudFormation limitation is resolved.

[edc1934]

Any updates? Also need this feature.

[JohnPeacockMessageSystems]

Going on two years for this trivial feature. I'm still trying to use Service Catalog, which requires vanilla CloudFormation. The InstanceMetadataTags option is missing from Launch Templates, so I can't use that either.

[donwalter]

Add me to the list of people who would like this feature added.

[torabTech]

Hi everyone,

Is there any example of enabling IMDSv2 in Autoscaling:Launchconfiguration cloudformation template? I would highly appreciate any reference or example.

[otakusid]

@torabTech HttpPutResponseHopLimit set to 2 is required because the IMDSv2 will bring the extra hop in communication with metadata service

"LaunchTemplate":{
  "Properties":{
    "LaunchTemplateData":{
      "MetadataOptions":{
        "HttpTokens":"required",
        "HttpPutResponseHopLimit":2
      }
    }
  },
  "Type":"AWS::EC2::LaunchTemplate"
}

"AutoScalingGroup": {
  "Properties": {
    "LaunchTemplate": {
      "LaunchTemplateId": {
        "Ref": "LaunchTemplate"
      },

      "Version": {
        "Fn::GetAtt": [
          "LaunchTemplate",
          "LatestVersionNumber"
        ]
      }
    }
  "Type": "AWS::AutoScaling::AutoScalingGroup"
}

[cs-dww]

Adding a +1 here. We need this option as well.

AWS - What if we said Pretty Please?

[Rob-El]

IMDSv2 is also part of the Security Hub standards - EC2.8 EC2 instances should use Instance Metadata Service Version 2 (IMDSv2). Our security score gets dinged when we don't use IMDSv2, but we're also supposed to use code to provision resources. This creates a catch-22 situation. I hope this helps as far as prioritizing. Thank you!

[siebrand]

@Rob-El : use a launch template for your instance with only those parts that you need, and include that in the instance. It also allows you to tag network interfaces and volumes as a bonus. But beware of changes in the launch template once deployed, as that can cause a redeploy.

[Rob-El]

@siebrand Thanks for the tip! I do understand that launch templates are a workaround, I read through all the previous comments. In my opinion, Launch Templates adds a cumbersome amount of config, for various reasons.

Also, redeployment is highly undesirable in our environment, as we have a lot of 3rd-party, static applications that are long-lived. (We create the server, install the OS, hand it off to another team.) Over time we add additional tags, add a volume, etc. If any of those operations (or the dozen other reasons we update a CF template) caused a re-deploy, it would wipe the app and force a restore from backups, etc.

I'm happy to use ELB, ASGs, and Launch Templates for their own particular use cases, but these applications are not designed for use in those environments. Thanks again!

[josephhernandezphd]

Extremely useful option. This should be roadmapped.

[smorgant]

Same here, having to rewrite all my template to be able to get "instance-metadata-tags" to enabled, 2 years seems a long time for this to be at minimum reviewed.

[kylegibson]

Ugh

[kz974]

Oh yes please. Been wishing for this since 2019!

[anjanasilva]

Have you guys realised you can disable IMDSV1 in a running AMI?

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-IMDS-new-instances.html

Run the following from a place where you can run AWS commands,

aws ec2 modify-image-attribute \ --image-id ami-0123456789example \ --imds-support v2.0

Any EC2 instances launched using the above AMI will have IMDSV1 disabled.

I hope this helps,
Thanks

[jpSimkins]

2024 check in on the status. Still would like to have this for systems that don't need or require a launch template.

[mdgm88]

You can now set the account level defaults for a region in an account. If you don't explicitly override the defaults it should use the defaults you have set e.g.

aws ec2 modify-instance-metadata-defaults --http-tokens required --http-put-response-hop-limit 2

As AWS::EC2::Instance doesn't support overriding the defaults currently it should use the account level defaults