Gruntwork and Instance Metadata Service Version 2 (IMDSv2)
What is IMDSv2 and why should I care? Does Gruntwork support IMDSV2?
## What is IMDSv2? Instance Metadata Service is AWS's special endpoint that is available only to running EC2 instances. It can return things like the running instance's ID, its public or private IPv4 address, IAM profile credentials, etc. [As described in the AWS EC2 user guide](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html), IMDSv2 introduces a new token based authentication scheme. In short, whereas in IMDSv1 you needed only to call the endpoint, with IMDSv2 you must first request a token from IMDS, and then present that token on all subsequent requests to the Instance Metadata Service endpoints. Note that the actual endpoints under IMDSv1 and IMDSv2 are identical. The use of this token is what constitutes whether IMDSv2 or IMDSv1 is being contacted. IMDSv2 always requires the token. ## Why should I care? Although AWS explicitly states that Instance Metadata Service Version 1 is fully secure, version 2 is specially hardened against at least 4 known attack vectors. If you have no reason to remain on IMDSv1, or aren't sure which to use, use version 2. ## Does Gruntwork support IMDSv2? Gruntwork's bash commons repository supports IMDSv2 as of [release `v0.1.8`](https://github.com/gruntwork-io/bash-commons/releases/tag/v0.1.8). ## What other resources are there for understanding IMDSv2? ### Gruntwork Resources - [Gruntwork Bash Commons release `v0.1.8` (Introduces IMDsv2 support)](https://github.com/gruntwork-io/bash-commons/releases/tag/v0.1.8) - [Gruntwork module disable-instance-metadata](https://github.com/gruntwork-io/terraform-aws-server/tree/master/modules/disable-instance-metadata) - A script that can remove access to IMDS once its no longer necessary for added security - [Gruntwork module require-instance-metadata-service-version](https://github.com/gruntwork-io/terraform-aws-server/tree/master/modules/require-instance-metadata-service-version) - A script that can make IMDSv2 access optional or required ### AWS Resources - [AWS EC2 User Guide: Use IMDSv2](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html) - [AWS EC2 User Guide: Retrieve instance metadata](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instancedata-data-retrieval.html)