Use IMDSv2
You can access instance metadata from a running instance using one of the following methods:
-
Instance Metadata Service Version 1 (IMDSv1) – a request/response method
-
Instance Metadata Service Version 2 (IMDSv2) – a session-oriented method
By default, you can use either IMDSv1 or IMDSv2, or both.
You can configure the Instance Metadata Service (IMDS) on each instance so that local code or users must use IMDSv2. When you specify that IMDSv2 must be used, IMDSv1 no longer works. For information about how to configure your instance to use IMDSv2, see Configure the instance metadata options.
The PUT
or GET
headers are unique to IMDSv2. If
these headers are present in the request, then the request is intended for
IMDSv2. If no headers are present, it is assumed the request is intended for
IMDSv1.
For an extensive review of IMDSv2, see Add defense in depth against open firewalls, reverse proxies, and SSRF
vulnerabilities with enhancements to the EC2 Instance Metadata
Service
To retrieve instance metadata, see Retrieve instance metadata.