IMDSv2

The core security challenge addressed by IMDSv2 is the vulnerability of Instance Metadata Service Version 1 (IMDSv1) to various attacks, such as Server Side Request Forgery (SSRF) and unauthorized access to sensitive instance metadata. IMDSv2 mitigates these risks through several key enhancements.

Technically, IMDSv2 introduces a session-oriented approach, requiring a two-step process to access instance metadata. First, a PUT request must be made to the session URI to obtain a session token, which is valid for a specified duration (between 1 second and 6 hours). This token must then be included in the header of subsequent GET requests to the metadata endpoint, ensuring that all communications are authenticated and encrypted.

Operational considerations include the need to update all software, SDKs, and CLI tools to versions that support IMDSv2. This involves identifying and transitioning existing infrastructure from IMDSv1 to IMDSv2, which can be facilitated using tools like the IMDS Packet Analyzer and CloudWatch metrics to track the transition progress.

Key technical details include the use of session tokens that are bound to the EC2 instance where the session was initiated, preventing tokens from being used across different instances. Additionally, IMDSv2 blocks session token requests if they contain an X-Forwarded-For header, further reducing the risk of unauthorized access.

In terms of limitations, the transition to IMDSv2 requires careful planning and coordination, especially for large-scale deployments. Existing instances must be updated, and new instances should be launched with IMDSv2 configured by default. Service control policies (SCPs) and IAM policies can be implemented to enforce the use of IMDSv2 across all instances, ensuring a secure and consistent environment.