Sai Ops
Published in

Sai Ops

Upgrading from AWS EC2 IMDSv1 to IMDSv2

Photo by Christina @ wocintechchat.com on Unsplash

Documentation inspired by Cloudnaut.io and Praveen Kumar

What does IMDS stand for and what does each version achieve?

- "Instance Metadata Service Version 1 (IMDSv1) – a request/response method"
- "Instance Metadata Service Version 2 (IMDSv2) – a session-oriented method"

Background information

  • We can only retrieve metadata of an EC2 instance from within the instance. Metadata can include identity credentials, iam, metrics, public keys, security groups, and a whole lot more. As you can tell this information is pretty sensitive and it can easily be accessed if someone gets hold of the instance.

Problem with IMDSv1

  • No authentication enabled to retrieve metadata from the instance

Solution with IMDSv2

  • Now a token is required when requesting the metadata. This version 2 is also session-based as the token will expire after a period of time

How to upgrade existing EC2 Metadata version to 2

  1. Get the instance-ids of the ec2 instances that needs this update and copy to clipboard. The instance-ids that needs the upgrade can be found in your trusted advisor if you have the checks enabled

2. Execute the following command in your AWS Cloudshell and replace the instance-id parameter. This command will describe your instance specified. Verify the MetadataOptions parameter by pressing enter through the response.

aws ec2 describe-instances --instance-ids <enter-your-instanced-id>

3. As you see HttpTokens parameter is set to optional. We will be changing that. To exit the response, press Q on keyboard to come back to the terminal

4. Execute the following command by replacing the instance-id argument. Use the arguments as needed. This command will enable HTTPTokens and PutResponseHopLimit to the metadata service if not already

aws ec2 modify-instance-metadata-options --instance-id <enter-your-instanced-id> --http-tokens required --http-endpoint enabled --http-put-response-hop-limit 1

http-tokens : “The state of token usage for your instance metadata requests.”

http-put-reponse-hop-limit : “The desired HTTP PUT response hop limit for instance metadata requests.”

Refer to the AWS CLI Command Reference

5. Now that we enabled the tokens. Lets verify the fields are similar by executing the following command in AWS Cloudshell. Be sure to replace the instance-id argument

aws ec2 describe-instances --instance-ids <enter-your-instanced-id>

6. Once you get a similar output as above — try to console into your instance and use the CURL command

curl http://169.254.169.254/latest/meta

Notice the unauthorized message. It’s safe to say that the upgrade has worked. There wouldn't be any unauthorized errors if the instance metadata service is in version 1.

7. To get instance metadata using version 2, execute the following commands. You will be requesting a token and storing that into a variable.

TOKEN=`curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600"`curl -H "X-aws-ec2-metadata-token: $TOKEN" -v http://169.254.169.254/latest/meta-data/

We are able to get the response to the requests with a provided token.

Additional Documentation

Summary

  • IMDSv2 is a new recommended security best practice to enable on your instances. It provides another layer of security to access your instance metadata.

--

--

--

Understanding each tool, concept, process one at a time

Recommended from Medium

From Legacy (Java ≤ 8) to Modular (Java 9) Spring App

On the upcoming Devikins referral system, and how it works.

Cheat Sheet for Java programmers to get started with Kotlin

Membuat Aplikasi Pertama ku 08.1: Notifications

Decision walk they much concern class.

Which Ruby Iterator Should You Use? Start At The Ending

Learn How to Learn, Before Learning How to Code

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Sai Dilip Ponnaganti

Sai Dilip Ponnaganti

DevOps Engineer

More from Medium

AWS VPC Gateway Endpoints and NACLs

AWS Transfer Family For File Transfers

AWS Transfer Family with AWS Managed MS AD

Security KPIs for AWS workloads

Flaneer + AWS, a story of Security