Metadata

AWS EC2 Instance Metadata & User Data – IMDSv2

~ Last updated on : ~ jayendrapatil ~ 4 Comments

EC2 Instance Metadata & Userdata

⚠️ Important Update (2024): Starting mid-2024, all newly released Amazon EC2 instance types use IMDSv2 only by default. AWS strongly recommends migrating from IMDSv1 to IMDSv2 across all existing infrastructure. Amazon Linux 2023 enforces IMDSv2 by default with IMDSv1 disabled.

  • Instance metadata and user data can be used for Self Configuration allowing EC2 instances answer the question Who am I? What should I do?
  • Instance metadata and user data can be accessed from within the instance itself
  • Data is not protected by authentication or cryptographic methods. Anyone who can access the instance can view its metadata and should not be used to store any sensitive data, such as passwords, as user data.
  • Both the metadata and user data are available from the IP address 169.254.169.254 (IPv4) or fd00:ec2::254 (IPv6, on Nitro instances) and have the latest as well as previous versions available
  • Metadata and User data can be retrieved using simple curl or GET command and these requests are not billed

Instance Metadata

  • Instance metadata is data about the instance and allows you to get answers to the Who am I?
  • is divided into two categories
    • Instance metadata
      • includes metadata about the instance such as instance id, AMI id, hostname, IP address, role, etc
      • Can be accessed from http://169.254.169.254/latest/meta-data/
    • Dynamic data
      • is generated when the instances are launched such as instance identity documents, instance monitoring, etc
      • Can be accessed from http://169.254.169.254/latest/dynamic/
  • can be used for managing and configuring running instances
  • allows access to user data that specified when launching the instance

Instance Metadata Access Methods

  • Instance metadata can be accessed from a running instance using one of the following methods:
    • Instance Metadata Service Version 2 (IMDSv2) – a session-oriented method (Recommended)
    • Instance Metadata Service Version 1 (IMDSv1) – a request/response method (Legacy, being phased out)
  • By default, either IMDSv1 or IMDSv2, or both can be used on older instance types.
  • Starting mid-2024, all newly released EC2 instance types use IMDSv2 only by default.
  • Instance metadata service distinguishes between IMDSv1 and IMDSv2 requests based on whether, for any given request, either the PUT or GET headers, which are unique to IMDSv2, are present in that request.
  • Instance metadata service can be configured on each instance so that local code or users must use IMDSv2. When IMDSv2 is enforced, IMDSv1 no longer works.
  • IMDS can also be completely disabled on an instance if instance metadata access is not needed.

IMDSv2

  • IMDSv2 uses session-oriented requests.
  • With session-oriented requests, a session token that defines the session duration is created, which can be a minimum of one second and a maximum of six hours.
  • During the specified duration, the same session token can be used for subsequent requests.
  • After the specified duration expires, a new session token to use for future requests must be created.
  • IMDSv2 provides additional protection against the following vulnerabilities:
    • Open website application firewalls
    • Open reverse proxies
    • Server-Side Request Forgery (SSRF) vulnerabilities
    • Open Layer 3 firewalls and NATs
  • HTTP PUT response hop limit controls the number of network hops the token can travel.
    • Default is 1 for standard instances
    • Should be set to 2 or higher for instances running containers (Docker, ECS, EKS) as the container adds an extra network hop
    • Maximum value is 64

IMDSv2 Example Usage

IMDSv2 Migration and Enforcement

  • AWS IMDSv2 Default Timeline:
    • November 2023: All console Quick Start launches use IMDSv2-only
    • March 2024: Account-level API (ModifyInstanceMetadataDefaults) to set IMDSv2 as default for all new launches
    • Mid-2024: All newly released EC2 instance types use IMDSv2 only (IMDSv1 can still be re-enabled)
    • Amazon Linux 2023: IMDSv1 disabled by default, hop limit set to 2
  • Methods to enforce IMDSv2:
    • Set IMDSv2 as default at the account level using ModifyInstanceMetadataDefaults API
    • Use Declarative Policies in AWS Organizations to enforce across multiple accounts and Regions simultaneously
    • Configure the instance at launch time
    • Configure the AMI to require IMDSv2
    • Use IAM policies to require IMDSv2
  • Use the MetadataNoToken CloudWatch metric to identify IMDSv1 usage before enforcing IMDSv2
  • Use the IMDS Packet Analyzer tool to pinpoint exactly which software needs updating for IMDSv2 compatibility

IMDS IPv6 Support

  • On Nitro-based instances, IMDS is also accessible via IPv6 at fd00:ec2::254
  • The IPv6 endpoint can be explicitly enabled on instances
  • Useful for dual-stack or IPv6-only environments

Instance Tags in Metadata

  • Instance tags can be accessed from the instance metadata (available since January 2022)
  • By default, access to instance tags in metadata is disabled and must be explicitly enabled
  • Can be enabled at launch or after launch on a running or stopped instance
  • Tags can be accessed from http://169.254.169.254/latest/meta-data/tags/instance
  • Useful for self-configuration without needing IAM permissions to call the EC2 API

IMDS Security Considerations

  • IMDS runs on a loopback network interface and network calls never leave the EC2 instance
  • IMDSv2 protects against SSRF attacks by requiring a PUT request (which most SSRF exploits cannot make)
  • The hop limit of 1 in IMDSv2 prevents token retrieval from outside the instance
  • AWS issued a security bulletin (AWS-2025-021) regarding potential IMDS impersonation scenarios, reinforcing the importance of using IMDSv2
  • Ensure all SDKs, CLIs, and tools support IMDSv2 before disabling IMDSv1

User Data

  • User data can be used for bootstrapping (launching commands when the machine starts) EC2 instance and helps answer the What should I do?
  • is supplied when launching a EC2 instance and executed at boot time
  • can be in the form of parameters or user defined script executed when the instance is launched for e.g. perform software patch updates, load and update the application from an S3 bucket etc
  • can be used to build more generic AMIs, which can then be configured at launch time dynamically
  • can be retrieved from http://169.254.169.254/latest/user-data
  • By default, user data scripts and cloud-init directives run only during the first boot cycle when an EC2 instance is launched.
  • If you stop an instance, modify the user data, and start the instance, the new user data is not executed automatically.
  • However, user data script and cloud-init directives can be configured with a MIME multi-part file. A MIME multi-part file allows the script to override how frequently user data is executed in the cloud-init package.
  • is treated as opaque data and returned as is.
  • is limited to 16 KB. This limit applies to the data in raw form, not base64-encoded form.
  • must be base64-encoded before being submitted to the API. EC2 command line tools perform the base64 encoding. The data is decoded before being presented to the instance.

Cloud-Init & EC2Launch

  • Cloud-Init and EC2Launch agents provide the ability to parse the user-data script on the instance and run the instructions
  • Cloud-Init
    • Amazon Linux AMI supports Cloud-Init, which is an open source application built by Canonical.
    • is installed on Amazon Linux 2, Amazon Linux 2023, Ubuntu, and RHEL AMIs
    • enables using the EC2 UserData parameter to specify actions to run on the instance at boot time
    • User data is executed on first boot using Cloud-Init, if the user data begins with #!
  • EC2Launch v2 (Current – Windows Server 2022 and later)
    • EC2Launch v2 is the latest Windows launch agent that replaces both EC2Config and EC2Launch v1
    • Pre-installed on Windows Server 2022 and Windows Server 2025 AMIs
    • Supports all EC2Config and EC2Launch features with additional capabilities
    • Uses a YAML-based configuration for better control over launch tasks
    • User data is executed if it begins with <script> or <powershell>
    • Runs tasks at instance startup and supports task scheduling
    • Includes Sysprep support for creating custom Windows AMIs
    • Supports IMDSv2 natively
  • EC2Launch v1 (Legacy – Windows Server 2016/2019)
    • Replaced EC2Config on Windows Server 2016 and 2019
    • Version 1.3.2002730 or later required for IMDSv2 support
    • AWS recommends migrating to EC2Launch v2
  • EC2Config (Deprecated)
    • EC2Config was used on Windows Server 2012 and earlier
    • EC2Config is deprecated — the Windows Server versions it supports (2012 and earlier) are no longer supported by Microsoft
    • AWS strongly recommends upgrading to EC2Launch v2 on a supported OS version
    • Documentation is maintained for historical reference only

AWS Certification Exam Practice Questions

  • Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).
  • AWS services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.
  • AWS exam questions are not updated to keep up the pace with AWS updates, so even if the underlying feature has changed the question might not be updated
  • Open to further feedback, discussion and correction.
  1. How can software determine the public and private IP addresses of the Amazon EC2 instance that it is running on?
    1. Query the local instance metadata
    2. Query the appropriate Amazon CloudWatch metric.
    3. Query the local instance userdata.
    4. Use ipconfig or ifconfig command.
  2. The base URI for all requests for instance metadata is ___________
    1. http://254.169.169.254/latest/
    2. http://169.169.254.254/latest/
    3. http://127.0.0.1/latest/
    4. http://169.254.169.254/latest/
  3. Which Amazon Elastic Compute Cloud feature can you query from within the instance to access instance properties?
    1. Instance user data
    2. Resource tags
    3. Instance metadata
    4. Amazon Machine Image
  4. You need to pass a custom script to new Amazon Linux instances created in your Auto Scaling group. Which feature allows you to accomplish this?
    1. User data
    2. EC2Config service
    3. IAM roles
    4. AWS Config
  5. By default, when an EBS volume is attached to a Windows instance, it may show up as any drive letter on the instance. You can change the settings of the _____ Service to set the drive letters of the EBS volumes per your specifications.
    1. EBSConfig Service
    2. AMIConfig Service
    3. EC2Launch v2 Service (Note: Previously EC2Config Service. EC2Launch v2 is the current service for Windows Server 2022+)
    4. Ec2-AMIConfig Service
  6. How can software determine the public and private IP addresses of the Amazon EC2 instance that it is running on?
    1. Query the appropriate Amazon CloudWatch metric.
    2. Use ipconfig or ifconfig command.
    3. Query the local instance userdata.
    4. Query the local instance metadata.
  7. A security team wants to ensure that all EC2 instances in their account use only IMDSv2 and IMDSv1 is disabled. Which of the following approaches can achieve this? (Select TWO)
    1. Use the ModifyInstanceMetadataDefaults API to set IMDSv2 as required at the account level
    2. Disable the instance metadata service entirely
    3. Use Declarative Policies in AWS Organizations to enforce IMDSv2 across the organization
    4. Set the hop limit to 0
    5. Create a security group rule to block IMDSv1 requests
  8. An application running in a Docker container on an EC2 instance is unable to retrieve the IMDSv2 session token. What is the most likely cause?
    1. The security group is blocking metadata access
    2. The HTTP PUT response hop limit is set to 1, which does not allow the token to reach the container
    3. IMDSv2 does not support containerized workloads
    4. The container is not using the correct IP address
  9. Which of the following is the IPv6 address for accessing the Instance Metadata Service on Nitro-based instances?
    1. fe80::254
    2. fc00:ec2::254
    3. fd00:ec2::254
    4. ::1/metadata
  10. A company wants to allow EC2 instances to access their own tags without making API calls. What should they do?
    1. Tags are automatically available in instance metadata
    2. Enable the “Allow access to tags in instance metadata” option for the instance
    3. Attach an IAM role with ec2:DescribeTags permission
    4. Install a special agent to retrieve tags

References