Difference between revisions of "IMDS versions"
Jump to navigation
Jump to search
↑ https://d1.awsstatic.com/events/reinvent/2019/Security_best_practices_for_the_Amazon_EC2_instance_metadata_service_SEC310
↑ https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-metadata-transition-to-version-2.html
↑ https://docs.datadoghq.com/security/default_rules/aws-ec2-instance-ec2-instances-should-enforce-imdsv2/
(16 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
[[IMDS distinguishes between v1 and v2 requests by presence of headers]] <ref>https://d1.awsstatic.com/events/reinvent/2019/Security_best_practices_for_the_Amazon_EC2_instance_metadata_service_SEC310</ref> | [[IMDS distinguishes between v1 and v2 requests by presence of headers]] <ref>https://d1.awsstatic.com/events/reinvent/2019/Security_best_practices_for_the_Amazon_EC2_instance_metadata_service_SEC310</ref> | ||
+ | |||
+ | * IMDSv2 uses [[token-backed sessions]] <ref>https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-metadata-transition-to-version-2.html</ref> that expires after a maximum of six hours. <ref>https://docs.datadoghq.com/security/default_rules/aws-ec2-instance-ec2-instances-should-enforce-imdsv2/</ref> | ||
+ | * [[MDSv1]] disabled in [[Amazon Linux 2023]] | ||
+ | * [[Datadog: EC2 instances should enforce IMDSv2]] | ||
+ | |||
+ | |||
+ | [[aws ec2 modify-instance-metadata-defaults --http-tokens]] required | ||
+ | |||
+ | == Activities == | ||
+ | * [[Transition to using Instance Metadata Service Version 2]] | ||
+ | |||
+ | == Related == | ||
* [[IMDSv2]] | * [[IMDSv2]] | ||
+ | * [[Use IMDSv2]], [[Transition to using Instance Metadata Service Version 2]] | ||
+ | * <code>[[aws ec2 modify-instance-metadata-options]]</code> | ||
== See also == | == See also == |
Latest revision as of 09:27, 28 June 2024
IMDS distinguishes between v1 and v2 requests by presence of headers [1]
- IMDSv2 uses token-backed sessions [2] that expires after a maximum of six hours. [3]
- MDSv1 disabled in Amazon Linux 2023
- Datadog: EC2 instances should enforce IMDSv2
aws ec2 modify-instance-metadata-defaults --http-tokens required
Activities[edit]
Related[edit]
- IMDSv2
- Use IMDSv2, Transition to using Instance Metadata Service Version 2
aws ec2 modify-instance-metadata-options
See also[edit]
- IMDS, IMDS versions (IMDSv2), IMDS initiate session,
ec2-imdsv2-check, aws ec2 modify-instance-metadata-options, /latest/meta-data, /latest/user-data, modify-instance-metadata-defaults
Advertising: