EC2 - Modify Instance Metadata Options¶
The following examples allow you to enforce Instance metadata options over EC2 instances. to learn more about Instance Metadata option please visit: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifyInstanceMetadataOptions.html
To filter the list of instances you can choose any combination of Ec2 mwtadate-instances elements.
As of now below options are available:
HttpEndpoint
Valid Values: disabled | enabled
Action value: HttpEndpoint
HttpPutResponseHopLimit
Possible values: Integers from 1 to 64
Action value: HttpPutResponseHopLimit
HttpTokens
Valid Values: optional | required
Action value: tokens
InstanceMetadataTags
Valid Values: disabled | enabled
Action value: metadata-tags
Examples:¶
policies: - name: ec2-require-imdsv2 resource: ec2 description: | Finds all instances with optional HttpTokens and change the policy to Requied. filters: - MetadataOptions.HttpTokens: optional actions: - type: set-metadata-access tokens: required policies: - name: ec2-disable-imds resource: ec2 description: | Finds all instacnes with Enabled httpsendpoint and change it to disabled. By default this option must be enabled therefore, please make sure before disabling this option. filters: - MetadataOptions.HttpEndpoint: enabled actions: - type: set-metadata-access endpoint: disabled policies: - name: ec2-disable-imds resource: ec2 description: | Finds all the instances with disables Instance Meta Data Tags and enable them. filters: - MetadataOptions.InstanceMetadataTags: disabled actions: - type: set-metadata-access metadata-tags: enabled
Intance MetaDate Tags Reference: https://amzn.to/2XOuxpQ
Custodian Filters reference: https://cloud-custodian.github.io/cloud-custodian/docs/filters.html