Configuring the IMDS on your Elastic Beanstalk environment's instances
This topic describes the Instance Metadata Service (IMDS).
Instance metadata is data that's related to an Amazon Elastic Compute Cloud (Amazon EC2) instance that applications can use to configure or manage the running instance. The instance metadata service (IMDS) is an on-instance component that code on the instance uses to securely access instance metadata. This code can be Elastic Beanstalk platform code on your environment instances, the AWS SDK that your application might be using, or even your application's own code. For more information, see Instance metadata and user data in the Amazon EC2 User Guide.
Code can access instance metadata from a running instance using one of two methods: Instance Metadata Service Version 1 (IMDSv1) or Instance Metadata Service Version 2 (IMDSv2). IMDSv2 uses session-oriented requests and mitigates several types of vulnerabilities that could be used to try to access the IMDS. For information about these two methods, see Configuring the instance metadata service in the Amazon EC2 User Guide.
Topics
Platform support for IMDS
Elastic Beanstalk platforms running on Amazon Linux 2 and Amazon Linux 2023 and Windows server all support both IMDSv1 and IMDSv2. For more information, see Configuring IMDS using the Elastic Beanstalk console
Choosing IMDS methods
When making a decision about the IMDS methods that you want your environment to support, consider the following use cases:
-
AWS SDK – If your application uses an AWS SDK, make sure you use an the latest version of the SDK. The AWS SDKs make IMDS calls, and newer SDK versions use IMDSv2 whenever possible. If you ever disable IMDSv1, or if your application uses an old SDK version, IMDS calls might fail.
-
Your application code – If your application makes IMDS calls, consider using the AWS SDK so that you can make the calls instead of making direct HTTP requests. This way, you don't need to make code changes to switch between IMDS methods. The AWS SDK uses IMDSv2 whenever possible.
-
Elastic Beanstalk platform code – Our code makes IMDS calls through the AWS SDK, and therefore uses IMDSv2 on all supporting platform versions. If your code uses an up-to-date AWS SDK and makes all IMDS calls through the SDK, you can safely disable IMDSv1.
Configuring IMDS using the Elastic Beanstalk console
You can modify your Elastic Beanstalk environment's Amazon EC2 instance configuration in the Elastic Beanstalk console.
Important
The DisableIMDSv1
option setting can cause Elastic Beanstalk to create an environment with a launch template or update an existing environment from launch configurations to launch
templates. For more information, see Launch Templates.
To configure IMDS on your Amazon EC2 instances in the Elastic Beanstalk console
Open the Elastic Beanstalk console
, and in the Regions list, select your AWS Region. -
In the navigation pane, choose Environments, and then choose the name of your environment from the list.
Note
If you have many environments, use the search bar to filter the environment list.
In the navigation pane, choose Configuration.
-
In the Instance traffic and scaling configuration category, choose Edit.
-
Set Disable IMDSv1 to enforce IMDSv2. Clear Disable IMDSv1 to enable both IMDSv1 and IMDSv2.
-
To save the changes choose Apply at the bottom of the page.
The aws:autoscaling:launchconfiguration namespace
You can use a configuration option in the aws:autoscaling:launchconfiguration
namespace to configure IMDS on your
environment's instances.
Important
The DisableIMDSv1
option setting can cause Elastic Beanstalk to create an environment with a launch template or update an existing environment from launch configurations to launch
templates. For more information, see Launch Templates.
The following configuration file example disables IMDSv1 using the DisableIMDSv1
option.
option_settings:
aws:autoscaling:launchconfiguration:
DisableIMDSv1: true
Set DisableIMDSv1 to true
to disable IMDSv1 and enforce IMDSv2.
Set DisableIMDSv1 to false
to enable both IMDSv1 and IMDSv2.