·
What is instance meta data?
AWS proving an instance
meta service to get the instance details like hostname, ip address etc.,
IMDSv1 will provide
request/response method to get the instance metadata details.
If instance support IMDSv1
then we can use following url to get instance metadata
http://169.254.169.254/latest/meta-data/
IMDSv2 is session oriented
means we need to create a session token with valid duration and use the session
token to get instance metadata. Generated session token is valid until the duration
mentioned in the first, so application can use the same token until it expires.
Once after it expired need to generate a new token.
Following sample command
will help us to get ami-id in single call
TOKEN=`curl -X PUT
"http://169.254.169.254/latest/api/token" -H
"X-aws-ec2-metadata-token-ttl-seconds: 21600"` \
&& curl -H
"X-aws-ec2-metadata-token: $TOKEN" -v
http://169.254.169.254/latest/meta-data/ami-id
·
How to update instance meta data?
To enable IMDSv2. We can use following command
aws ec2
modify-instance-metadata-options
--instance-id <<mention instance Id>>
--http-tokens required
--http-endpoint enabled
To change the PUT response
hop limit
aws ec2
modify-instance-metadata-options
--instance-id <<mention instance id>>
--http-put-response-hop-limit 3
--http-endpoint enabled
To Check instance metadata
option
aws ec2
describe-instances --instance-ids <<mention instance id>>
To turn off access to
instance metadata
aws ec2
modify-instance-metadata-options
--instance-id <<mention instance id>>
--http-endpoint disabled
·
How it impacts?
IMDSv2 will help us to
overcome Server-Side Request Forgery (SSRF). We don’t have a major impact other than if we
are this in our application call.
The MetadataNoToken CloudWatch
metric tracks the number of calls to the instance metadata service that are
using IMDSv1. By tracking this metric will help us to identify when to migrate.
For more details please refer
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html
