Configure the instance metadata options
Instance metadata options allow you to configure new or existing instances to do the following:
-
Require the use of IMDSv2 when requesting instance metadata
-
Specify the
PUT
response hop limit -
Turn off access to instance metadata
You can also use IAM condition keys in an IAM policy or SCP to do the following:
-
Allow an instance to launch only if it's configured to require the use of IMDSv2
-
Restrict the number of allowed hops
-
Turn off access to instance metadata
Note
You should proceed cautiously and conduct careful testing before making any changes. Take note of the following:
-
If you enforce the use of IMDSv2, applications or agents that use IMDSv1 for instance metadata access will break.
-
If you turn off all access to instance metadata, applications or agents that rely on instance metadata access to function will break.
-
For IMDSv2, you must use
/latest/api/token
when retrieving the token.