Difference between revisions of "IMDS versions"
Jump to navigation
Jump to search
↑ https://d1.awsstatic.com/events/reinvent/2019/Security_best_practices_for_the_Amazon_EC2_instance_metadata_service_SEC310
↑ https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-metadata-transition-to-version-2.html
↑ https://docs.datadoghq.com/security/default_rules/aws-ec2-instance-ec2-instances-should-enforce-imdsv2/
| Line 2: | Line 2: | ||
| − | * IMDSv2 uses [[token-backed sessions]] <ref>https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-metadata-transition-to-version-2.html</ref> that expires after a maximum of six hours. | + | * IMDSv2 uses [[token-backed sessions]] <ref>https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-metadata-transition-to-version-2.html</ref> that expires after a maximum of six hours. <ref>https://docs.datadoghq.com/security/default_rules/aws-ec2-instance-ec2-instances-should-enforce-imdsv2/</ref> |
* [[MDSv1]] disabled in [[Amazon Linux 2023]] | * [[MDSv1]] disabled in [[Amazon Linux 2023]] | ||
* [[Datadog: EC2 instances should enforce IMDSv2]] | * [[Datadog: EC2 instances should enforce IMDSv2]] | ||
Revision as of 09:13, 28 June 2024
IMDS distinguishes between v1 and v2 requests by presence of headers [1]
- IMDSv2 uses token-backed sessions [2] that expires after a maximum of six hours. [3]
- MDSv1 disabled in Amazon Linux 2023
- Datadog: EC2 instances should enforce IMDSv2
Related
- IMDSv2
- Use IMDSv2, Transition to using Instance Metadata Service Version 2
aws ec2 modify-instance-metadata-options
See also
- IMDS, IMDS versions (IMDSv2), IMDS initiate session,
ec2-imdsv2-check, aws ec2 modify-instance-metadata-options, /latest/meta-data, /latest/user-data, modify-instance-metadata-defaults
Advertising:
