Modify instance metadata options for existing instances
You can modify the instance metadata options for existing instances.
You can also create an IAM policy that prevents users from modifying the instance metadata options on existing instances. To control which users can modify the instance metadata options, specify a policy that prevents all users other than users with a specified role to use the ModifyInstanceMetadataOptions API. For the example IAM policy, see Work with instance metadata.
You can modify the following metadata options for existing instances:
Require the use of IMDSv2
Use one of the following methods to modify the instance metadata options on an existing instance to require that IMDSv2 is used when requesting instance metadata. When IMDSv2 is required, IMDSv1 cannot be used.
Restore the use of IMDSv1
When IMDSv2 is required, IMDSv1 will not work when requesting instance metadata. When IMDSv2 is optional, then both IMDSv2 and IMDSv1 will work. Therefore, to restore IMDSv1, make IMDSv2 optional by using one of the following methods.
Change the PUT response hop limit
For existing instances, you can change the settings of the PUT
response hop
limit.
Currently only the AWS CLI and AWS SDKs support changing the PUT response hop limit.
To change the PUT response hop limit
Use the modify-instance-metadata-options CLI command and set the
http-put-response-hop-limit
parameter to the required
number of hops. In the following example, the hop limit is set to
3
. Note that when specifying a value for
http-put-response-hop-limit
, you must also set
http-endpoint
to enabled
.
aws ec2 modify-instance-metadata-options \ --instance-id
i-1234567898abcdef0
\ --http-put-response-hop-limit3
\ --http-endpoint enabled
Enable the IPv6 endpoint for your instance
By default, the IPv6 endpoint is disabled. This is true even if you have launched an instance into an IPv6-only subnet. The IPv6 endpoint for the IMDS is only accessible on Instances built on the Nitro System.
Currently only the AWS CLI and AWS SDKs support enabling the IPv6 endpoint for your instance.
To enable the IPv6 endpoint for your instance
Use the modify-instance-metadata-options CLI command and set the
http-protocol-ipv6
parameter to enabled
. Note
that when specifying a value for http-protocol-ipv6
, you must
also set http-endpoint
to enabled
.
aws ec2 modify-instance-metadata-options \ --instance-id
i-1234567898abcdef0
\ --http-protocol-ipv6 enabled \ --http-endpoint enabled
Turn on access to instance metadata
You can turn on access to instance metadata by enabling the HTTP endpoint of the IMDS on your instance, regardless of which version of the IMDS you are using. You can reverse this change at any time by disabling the HTTP endpoint.
Use one of the following methods to turn on access to instance metadata on an instance.
Turn off access to instance metadata
You can turn off access to instance metadata by disabling the HTTP endpoint of the IMDS on your instance, regardless of which version of the IMDS you are using. You can reverse this change at any time by enabling the HTTP endpoint.
Use one of the following methods to turn off access to instance metadata on an instance.