Compliance

Enforce IMDSv2 on EC2

One capability across running instances and the launch sources that create them: require the IMDSv2 session-token handshake everywhere so a server-side request forgery bug cannot read an instance's role credentials.

13 min·10 sections·AWS

Last reviewed 16 June 2026

Remediates AWS Security Hub: AutoScaling.3 EC2.8

Enforcing IMDSv2: the basics

What is the Instance Metadata Service and why does the version matter?

Every EC2 instance can reach a link-local endpoint at 169.254.169.254, the Instance Metadata Service (IMDS). It returns the instance's identity, user-data, and most importantly the temporary IAM credentials of the attached instance profile. Anything running on the instance with HTTP egress can ask for those credentials and immediately have whatever the role grants. IMDSv1 answers any unauthenticated GET; IMDSv2 first requires a session token obtained via a PUT with a custom header, and almost no server-side request forgery (SSRF) primitive can issue an arbitrary PUT with a header, so the credentials become unreachable from that whole class of bug.

AWS Security Hub turns this into more than one control because enforcement has to hold at two layers. EC2.8 fails any running instance whose MetadataOptions.HttpTokens is optional rather than required. AutoScaling.3 fails any Auto Scaling launch configuration that still permits IMDSv1, because the fleet that LC governs keeps launching IMDSv1-permissive instances regardless of what you fixed on the running boxes. They look like separate findings, but they are one capability: require the IMDSv2 handshake on the instances and on the sources that create them.

The trap is that fixing one layer alone leaves the other open. Flip a running instance to required and AutoScaling.3 still fails if the launch source is permissive; migrate the launch source and EC2.8 still fails until the existing instances are replaced. The job is to inventory everything still on IMDSv1, flip the running fleet, fix the launch sources so new instances are born compliant, and roll the old ones out, then lock the setting at the account level.

In this lesson you will learn why IMDSv1 has been the root cause of some of the largest cloud breaches on record, how IMDSv2 closes the SSRF window at the HTTP layer, how to check whether your fleet and its launch sources are compliant, and how to migrate safely, the SDK compatibility check, the hop-limit decision, the instance refresh, and the launch-source change that makes new instances born compliant. The Controls this lesson covers section lists every Security Hub control in this capability, each linking to a deep page with the exact check and a copy-and-paste fix.

Fun fact

Capital One: 100 million records, one IMDSv1 call

In 2019 an attacker exploited a server-side request forgery in a misconfigured Capital One WAF to make the WAF itself fetch http://169.254.169.254/latest/meta-data/iam/security-credentials/. IMDSv1 returned the role's temporary credentials, the attacker assumed them externally, and used them to list and download S3 buckets, exfiltrating roughly 106 million customer records. AWS announced IMDSv2 later that same year as the direct architectural fix. A single PUT-required token would have stopped the attack at step one, because a forged GET cannot obtain the session token.

Finding IMDSv1 across an estate

Marco is the security lead at a fintech. A Security Hub scan fires EC2.8 across 47 production instances and AutoScaling.3 across three launch configurations, all still permitting IMDSv1. The fleet mixes EKS workers, legacy batch jobs and a few Windows servers nobody really owns.

He cannot just flip everything to required, since a workload using an SDK old enough to fall back to IMDSv1 only would start failing the moment the flag flips. So he starts by listing the offending instances and their hop limits, to see the spread before changing anything.

List every running instance whose metadata options still allow IMDSv1. HttpTokens=optional is the EC2.8 failure signal.

$ aws ec2 describe-instances --query "Reservations[].Instances[?MetadataOptions.HttpTokens=='optional'].{Id:InstanceId,Hop:MetadataOptions.HttpPutResponseHopLimit,State:State.Name}" --output table

--------------------------------------------------

| i-0abc12def345f6789 | 2 | running |

| i-0cde34f0567b8901c | 1 | running |

--------------------------------------------------

# 47 total. EKS workers at hop=2 (intentional for pods), legacy boxes at hop=1.

Every instance with HttpTokens=optional is exposing IMDSv1 to anything running locally. The launch sources behind them need fixing too.

How IMDSv2 closes the SSRF window, at both layersdeep dive

IMDSv2 is session-oriented over the same 169.254.169.254 endpoint. A client first issues a PUT to /latest/api/token with the header X-aws-ec2-metadata-token-ttl-seconds, and the service returns an opaque session token valid for up to six hours. Every subsequent GET must carry that token. The reason this defeats SSRF specifically is that the vast majority of SSRF primitives are GET-only or cannot set arbitrary headers, so the credential read is no longer a single one-shot GET they can replicate.

EC2.8 reads MetadataOptions.HttpTokens on the running instance and fails on optional. AutoScaling.3 reads the same field on the Auto Scaling launch configuration. Launch configurations are the weak point: AWS added the MetadataOptions field to them late in their life, so older ones simply do not set it and the instances inherit the AMI default, which for most public AMIs is still optional. Launch configurations have been deprecated since 2023, which is why AutoScaling.3 commonly fails alongside the control that tells you to migrate to launch templates, and why the right fix is migration, not just patching the LC.

The HttpPutResponseHopLimit setting controls how many network hops the token response can traverse. The default of 1 means only processes on the host network namespace can reach IMDS, so containers with their own namespace (the default for Kubernetes pods) cannot reach it at all. If pods legitimately need instance-role metadata you either use IRSA (the right answer) or raise the hop limit to 2. Crucially, swapping a launch source does not reboot existing instances; they keep running IMDSv1-permissive until replaced by a scaling event, a deploy, or a deliberate instance refresh, so without the refresh AutoScaling.3 clears but EC2.8 keeps failing.

What is the impact of leaving IMDSv1 enabled?

The direct impact is credential exposure. Every SSRF, every XXE that resolves URIs, every container with broken network isolation, every third-party agent with a parser bug becomes a credential-theft primitive on an IMDSv1-permissive instance. The instance's role credentials are the keys to whatever that role can do: read S3, decrypt KMS keys, list Secrets Manager entries, assume other roles. The blast radius is the IAM policy, not the instance, and the credentials are valid long enough to enumerate and exfiltrate.

The second-order impact is that this is a quiet attack. There is no new compute, no new access key, nothing in the cost report to notice; an attacker who finds an SSRF on a permissive instance inherits a ready-made credential-theft step rather than having to build one. The historical record is well documented: the Capital One breach, plus a steady stream of crypto-mining campaigns and incident-response reports where IMDSv1 was the lateral-movement step after an initial app compromise.

On the compliance side, these controls map to the AWS Foundational Security Best Practices standard, PCI DSS, the CIS AWS Foundations Benchmark and NIST 800-53. A HIGH EC2.8 finding on production instances, or an AutoScaling.3 failure on a fleet still launching permissive instances, is audit evidence that least-privilege controls on instance identities were not enforced, and it can hold up a SOC 2 Type II opinion or trigger a PCI compensating-control writeup.

How do you enforce IMDSv2 safely?

Work the capability as one loop rather than chasing individual findings. The order matters: verify compatibility before you flip, fix the launch sources, roll the fleet so the running instances actually pick up the change, and lock it at the account level.

1. Inventory every instance and launch source still on IMDSv1

Use describe-instances filtered on HttpTokens==optional for EC2.8, and describe-launch-configurations filtered on HttpTokens != required for AutoScaling.3. Group by owner, application and instance profile, and rank by what the attached IAM role can reach. The migration order is usually newest, simplest, highest-privilege workloads first; legacy unowned boxes last with a deprecation plan.

2. Verify SDK compatibility before flipping the switch

Modern SDKs (Boto3, AWS CLI v2, the Java, Go, .NET and JavaScript v2/v3 SDKs) all speak IMDSv2 natively. Older versions and any code that hand-rolls metadata calls without the PUT step will break the moment HttpTokens flips to required. Check the SDK versions in your container images; rebuild any pinned image old enough to predate native IMDSv2 support before migration. Skipping this step is the single most common cause of a self-inflicted outage.

3. Flip running instances, fix launch sources, then roll the fleet

Run modify-instance-metadata-options --http-tokens required on running instances, choosing the hop limit deliberately (1 by default; 2 only where non-IRSA container access to IMDS is genuinely needed). For Auto Scaling, migrate the deprecated launch configuration to a launch template with HttpTokens=required, repoint the ASG, and run start-instance-refresh so existing instances are replaced, otherwise AutoScaling.3 clears but EC2.8 keeps failing on the old boxes.

4. Lock it at the account level so new instances are born compliant

Set the account-wide default with modify-instance-metadata-defaults --http-tokens required so any new instance defaults to IMDSv2 regardless of launch source, and update every launch template and node group. Add an SCP denying ec2:RunInstances without IMDSv2 and one denying autoscaling:CreateLaunchConfiguration outright, and pair with the relevant AWS Config rules for continuous detection.

# Flip a running instance to IMDSv2-only (EC2.8).
aws ec2 modify-instance-metadata-options --instance-id i-0abc12def345f6789 \
  --http-tokens required --http-put-response-hop-limit 1 --http-endpoint enabled

# Migrate the launch source to a launch template with IMDSv2 required (AutoScaling.3),
# then roll the fleet so existing instances actually pick it up.
aws ec2 create-launch-template-version --launch-template-id lt-0fee123abc456def0 \
  --source-version '$Latest' \
  --launch-template-data '{"MetadataOptions":{"HttpTokens":"required","HttpPutResponseHopLimit":2,"HttpEndpoint":"enabled"}}'
aws autoscaling start-instance-refresh --auto-scaling-group-name etl-workers-asg

# Lock it account-wide so new instances are born compliant.
aws ec2 modify-instance-metadata-defaults --http-tokens required --http-put-response-hop-limit 2

Quick quiz

Question 1 of 5

Security Hub shows EC2.8 on running instances and AutoScaling.3 on a launch configuration. What is the most efficient way to think about them?

Keep learning

Go deeper on instance identity, IMDSv2 internals, and the launch-source migration.

You can now treat IMDSv2 enforcement as one capability rather than two findings: inventory every instance and launch source still on IMDSv1, verify SDK compatibility, flip the running fleet, migrate the launch sources and instance-refresh so the change actually applies, then lock the setting at the account level so new instances are born compliant. The Controls this lesson covers section below links every control in this group to its deep page and fix.

Back to the library

Enforcing IMDSv2: the cost and risk view

A zero-cost configuration change that closes the most documented credential-theft path in cloud history

Enabling IMDSv2 costs nothing on the AWS bill. There is no per-call charge, no extra service, no rate-card impact. The only cost is the migration effort: verifying that the software on each instance is new enough to use the updated protocol, flipping a configuration flag, and updating launch sources, work that for a modern fleet is hours, not weeks. Much of it, the move from deprecated launch configurations to launch templates, was already needed for other reasons.

The risk side is where the attention belongs. The exposure from an IMDSv1-permissive instance is bounded by what the attached IAM role can do, which for production workloads often means access to S3 buckets, secrets, or the ability to spin up resources. The Capital One breach in 2019 was a direct IMDSv1 exploit and cost over 270 million dollars in fines and remediation. The relevant question for the risk register is not how likely an SSRF is on a given instance, but what the blast radius is if there is one, so prioritise the highest-privilege fleets first.

The insurance maths is one-sided: a one-time, zero-recurring-cost engineering effort against an open-ended, hard-to-detect credential-theft path. Track the count of HIGH EC2.8 findings on production instances as an open liability line until it reaches zero and the launch sources are updated so it stays there.

This lesson is for the finance partner who wants to understand why these findings deserve budget and priority despite having zero incremental AWS cost. It covers the IMDSv1 credential-theft path in plain terms, the documented financial scale of an exploit, why this is a one-time engineering effort rather than a recurring spend decision, and how to rank the remediation backlog by IAM blast radius rather than by fleet name.

Fun fact

Capital One: 100 million records, one IMDSv1 call

How a finance partner frames the IMDSv2 backlog

Anita is the finance partner for the platform team at the same fintech. Security Hub hands her EC2.8 across 47 production instances and AutoScaling.3 across three launch configurations, all still permitting IMDSv1. Her first move is not to ask what remediation costs, because she already knows IMDSv2 is free on the AWS bill: no per-call charge, no extra service, no rate-card impact. Her question is which of these fleets turns a single application bug into a balance-sheet event, because the exposure is bounded by what the attached IAM role can reach, not by the instance itself.

She asks the team to rank each flagged fleet by the privilege of its instance profile. The fleet whose role can read customer S3 buckets and decrypt KMS keys goes to the top of her risk register; the legacy batch boxes with a narrow role sit lower. She frames the migration as a one-time, non-recurring labour line rather than an open backlog item, and she requires the launch-source update to be in scope so the fix is permanent rather than reopening with every new instance. Her output for the risk pack is one sentence: the remediation is zero recurring cost, the reference data point is the Capital One breach at over 270 million dollars, and we sequence it by IAM blast radius, not by fleet name.

Why IMDSv2 belongs on the risk register

The cost structure is unusual: remediation has zero incremental AWS spend, because IMDSv2 is not a paid feature. The cost is purely engineering labour, an inventory run, a compatibility check, the flag flip and the launch-source update, which for a modern fleet measures in hours. From a cost-of-risk perspective, leaving high-privilege fleets on IMDSv1 is an uninsured position you can close with a bounded, one-time budget.

The exposure is bounded by what the attached IAM role can reach, so the right risk-register entry is per fleet: N production instances where an application bug exposes access to X, ranked by role privilege. The Capital One breach is the reference data point at over 270 million dollars. The finance role is to approve the migration as a one-time, non-recurring investment, require the launch-source update to be in scope so the fix is permanent, and track the open liability until the count reaches zero and stays there.

What finance can drive on IMDSv2

Finance cannot flip the flag, but it can get this treated as a prioritised, bounded labour investment rather than an open backlog item. Three levers.

1. Put the finding count on the risk register with blast radius

Track the number of HIGH EC2.8 findings on production instances alongside the most permissive IAM roles attached to them. N production instances where an application bug exposes access to X turns a security score into a quantifiable open liability that gets a sprint allocated.

2. Approve it as a one-time labour line with no recurring cost

IMDSv2 is free on the bill; the only spend is engineering hours to verify SDK versions, flip the flag and update launch sources. Approving it explicitly as a bounded, non-recurring investment removes budget ambiguity and lets the team start now.

3. Require the launch-source update to be in scope

Flipping the flag on existing instances without updating launch templates means every new instance reopens the finding. Make the launch-source update and a born-compliant confirmation a required deliverable, not a follow-up, so the fix is permanent.

Quick quiz

Question 1 of 5

Why does enforcing IMDSv2 carry zero incremental AWS cost?

Keep learning

Go deeper on instance identity, IMDSv2 internals, and the launch-source migration.

You have finished the finance view of IMDSv2 enforcement. You know the cost is one-sided (zero recurring AWS spend, a bounded one-time labour line, against an open-ended credential-theft path documented at over 270 million dollars in the Capital One breach), that the right metric is HIGH EC2.8 findings on production instances ranked by IAM blast radius rather than by fleet name, and that the launch-source update must be in scope so the fix is permanent. Next time these findings land, you will treat them as a prioritised, bounded investment rather than an open backlog item.

Back to the library

Enforcing IMDSv2: the headline

Whether an application bug can silently hand out an instance's cloud credentials

Every EC2 server has a built-in endpoint that returns its cloud credentials to code running on it. The legacy version, IMDSv1, requires no authentication, so any application vulnerability that can make an outbound HTTP request can silently steal those credentials. The Capital One breach, 106 million customer records and over 270 million dollars in consequences, followed exactly this path. The report marks the running-instance control HIGH severity.

The fix is a single configuration flag, and it costs nothing on the cloud bill. The only work is verifying that software is modern enough for the updated protocol and updating the launch sources so new instances are born compliant. This belongs on the executive radar not because it is complicated, but because the consequence of ignoring it is disproportionately large relative to the effort.

The leadership question is whether every production instance has this enforced by policy rather than by accident, with the highest-privilege fleets at the front of the queue and the launch sources updated so the setting can never silently reopen.

A short read for the leader who wants to know what these controls protect, why they are HIGH severity, and the one question to ask: are the highest-privilege fleets enforced first, and are the launch sources updated so new instances are born compliant rather than patched one finding at a time.

Fun fact

Capital One: 100 million records, one IMDSv1 call

What it looks like when instance identity is enforced, not assumed

After the board read yet another incident report where an application bug let an attacker fetch an instance's cloud credentials, the CEO asked a single question at the next risk review: could that happen to us, and how would we know? The honest answer was that on every IMDSv1-permissive fleet it could, and the first signal would be the exfiltration itself, because credential theft over the metadata service leaves nothing in the cost report to notice. The wall of EC2.8 findings was the visible symptom of that gap, and the Capital One breach, 106 million records down a single IMDSv1 call, was the textbook case.

The leadership response was to treat IMDSv2 as a standard enforced by infrastructure rather than a backlog of findings patched one at a time. The highest-privilege fleets were remediated first, launch sources were migrated to launch templates with the handshake required, an account-level default was set so new instances were born compliant, and a Service Control Policy denied launching without IMDSv2. Six months on, the question changed from could that happen to us to are new instances born compliant by default, and the answer was yes by infrastructure rather than by good behaviour. That born-compliant confirmation, not the point-in-time count, is the signal that belongs on a governance review.

Why this is a leadership item, not just a ticket

These controls translate to a single board-level question: could an application bug on one of our servers silently hand an attacker the keys to our data? With IMDSv1 permissive, the honest answer for every flagged fleet is yes, and the Capital One breach is the textbook case, an application vulnerability that could make the right HTTP request, and 106 million records walked out for free.

What makes this unusual is that the fix has no ongoing cost; the only investment is the migration that was already needed because launch configurations are deprecated. The leadership question is therefore not whether it is worth the cost, but whether the highest-risk fleets are remediated first and whether new instances are born compliant by default. After an incident, the narrative we knew it was permissive, the fix was free, and we deprioritised it does not survive a post-mortem.

The leadership move on IMDSv2

The handle is not to direct the migration, it is to set the standard that makes this a one-time effort rather than a recurring finding.

1. Set the standard: production is IMDSv2-only by default

Make it policy that any production instance has HttpTokens=required, enforced through launch templates and an account-level default. A clear default removes per-instance debate and the risk that one misconfigured launch source reopens the fleet.

2. Sequence the highest-privilege fleets first

Not all fleets carry the same risk. The ones whose instances hold credentials with broad access to sensitive data are where an SSRF becomes a reportable incident, so they go in the first remediation sprint. The migration was already needed; this is just sequencing.

3. Ask for born-compliant confirmation, not just a zero count

The finding count reaching zero is necessary but not sufficient. Ask whether new instances are born compliant by default through updated launch sources and an SCP, which is the signal the policy is enforced by infrastructure rather than by good behaviour.

Quick quiz

Question 1 of 5

What single board-level question do the IMDSv2 controls translate to?

Keep learning

Go deeper on instance identity, IMDSv2 internals, and the launch-source migration.

Two takeaways: an IMDSv1-permissive instance is an uninsured position where an application bug can silently hand out the instance's cloud credentials, and the fix costs nothing on the bill, only the migration that deprecated launch configurations already required. The trade is engineering hours against a 106-million-record breach pattern, which is the one leadership should be quickest to approve. Sequence the highest-privilege fleets first, and ask for born-compliant confirmation rather than just a zero count so the setting can never silently reopen.

Back to the library

Controls this lesson covers

One capability, many AWS Security Hub controls. This lesson is the shared playbook; each control below keeps its own deep page with the exact check, severity and a copy-and-paste fix.

AutoScaling

AutoScaling.3 High Launched instances still allow IMDSv1

EC2

EC2.8 High IMDSv1 lets an SSRF steal instance credentials

Part of the learning path Lock down access

Enforce IMDSv2 on EC2

Enforcing IMDSv2: the basics

Capital One: 100 million records, one IMDSv1 call

Finding IMDSv1 across an estate

How IMDSv2 closes the SSRF window, at both layersdeep dive

What is the impact of leaving IMDSv1 enabled?

How do you enforce IMDSv2 safely?

1. Inventory every instance and launch source still on IMDSv1

2. Verify SDK compatibility before flipping the switch

3. Flip running instances, fix launch sources, then roll the fleet

4. Lock it at the account level so new instances are born compliant

Quick quiz

Keep learning

Enforcing IMDSv2: the cost and risk view

Capital One: 100 million records, one IMDSv1 call

How a finance partner frames the IMDSv2 backlog

Why IMDSv2 belongs on the risk register

What finance can drive on IMDSv2

1. Put the finding count on the risk register with blast radius

2. Approve it as a one-time labour line with no recurring cost

3. Require the launch-source update to be in scope

Quick quiz

Keep learning

Enforcing IMDSv2: the headline

Capital One: 100 million records, one IMDSv1 call

What it looks like when instance identity is enforced, not assumed

Why this is a leadership item, not just a ticket

The leadership move on IMDSv2

1. Set the standard: production is IMDSv2-only by default

2. Sequence the highest-privilege fleets first

3. Ask for born-compliant confirmation, not just a zero count

Quick quiz

Keep learning

Controls this lesson covers

AutoScaling

EC2

Related compliance lessons