Open in app

Sign in

Write

Sign in

Get AWS EC2 Instance Metadata Service State

Nick Gibbon
Pareture

--

How to find the current configuration state for the Instance Metadata Service (IMDS) for your EC2 Instances in AWS

IMDS

The Instance Metadata Service is a feature for EC2 Compute Instances in AWS. It allows you to obtain specific contextual information about the environment (the “metadata”) from a node without having to use AWS APIs. This allows applications and scripts within the Instance to be more self-aware and act on this information if that is what’s needed. It runs on a link-local address which is only valid from the Instance.

This will look familiar to some:

http://169.254.169.254/latest/meta-data/

Instance metadata and user data

Instance metadata is data about your instance that you can use to configure or manage the running instance. Instance…

docs.aws.amazon.com

IMDSv2

In November 2019 AWS created the IMDSv2 which provides the same functionality but requires session-based authentication to use the Instance Metadata Service. This is to mitigate against some potential attacks.

Add defense in depth against open firewalls, reverse proxies, and SSRF vulnerabilities with…

November 20, 2019: We've added a link to the re:Invent session about this topic. Since it first launched over 10 years…

aws.amazon.com

Configuration

For each instance you can now choose to use IMDSv1 and IMDSv2, you can require use of V2 or you can disable the Metadata Service altogether.

The recommendation is; disable if you can, use IMDSv2 if you can’t and only use IMDSv1 if you need to for whatever reason that is.

You can set this configuration via the Console, CLI or SDKs on instance creation.

Configure the instance metadata service

You can access instance metadata from a running instance using one of the following methods: By default, you can use…

docs.aws.amazon.com

Get State

The IMDS configuration state can not be found in the Console!

So don’t waste your time rummaging around your EC2 tabs. However, you can still find it programatically…

AWS SDKs — Example Boto3 (Python)

Using the Describe Instances request, the data can be found like so (note indexes, assumes only one instance has been returned).

response["Reservations"][0]["Instances"][0]["MetadataOptions"]

EC2 - Boto3 Docs 1.17.66 documentation

A low-level client representing Amazon Elastic Compute Cloud (EC2) Amazon Elastic Compute Cloud (Amazon EC2) provides…

boto3.amazonaws.com

And it looks like this:

'MetadataOptions': {
  'State': 'pending'|'applied',
  'HttpTokens': 'optional'|'required',
  'HttpPutResponseHopLimit': 123,
  'HttpEndpoint': 'disabled'|'enabled'
}

It can also be found using the AWS CLI the same way: https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-instances.html

Tools

Thankfully, since you are still able to obtain the IMDS configuration state programatically it can still be scanned by security and misconfiguration tooling. In fact, this is exactly how the AWS Config compliance check works.

ec2-imdsv2-check

Checks whether your Amazon Elastic Compute Cloud (Amazon EC2) instance metadata version is configured with Instance…

docs.aws.amazon.com

This is — of course — all in the documentation somewhere. However, it wasn’t super clear to me that it isn’t available in the Console or exactly where to find it — hence this public service post. I expect that sometime in the future this data will be available in the AWS Console as well.

Launch Templates

Interestingly, if you launch your EC2 Instances from a Launch Template you can see the IMDS configuration in the Console there under ‘Advanced Details’.

--

--

Nick Gibbon
Pareture

Written by Nick Gibbon

401 Followers
Editor for

Software reliability engineer & manager in cloud infrastructure, platforms & tools.