IMDSv2: AWS Instance Metadata Service Version 2 Explained
IMDSv2 is AWS's security improvement to the Instance Metadata Service, requiring session tokens to prevent SSRF-based credential theft attacks.
What is IMDSv2?
Instance Metadata Service Version 2 (IMDSv2) is AWS’s security-hardened version of the EC2 metadata endpoint. The Instance Metadata Service (IMDS) lets code running on an EC2 instance retrieve information about itself — instance ID, security credentials, network configuration, and IAM role credentials — by making HTTP requests to 169.254.169.254.
IMDSv2 adds a session-based authentication mechanism: before accessing metadata, code must first obtain a session token via a PUT request, then include that token in subsequent GET requests. This seemingly small change blocks an entire class of attacks that exploited the original IMDSv1.
Why It Matters
IMDSv1 is dangerous because it requires nothing more than a simple HTTP GET to retrieve IAM credentials. If an attacker can make an EC2 instance issue an HTTP request — via Server-Side Request Forgery (SSRF), misconfigured proxies, or compromised application code — they can steal the instance’s IAM credentials instantly.
The Capital One breach (2019) exploited exactly this pattern: a SSRF vulnerability in a web application allowed the attacker to query IMDSv1 and extract IAM credentials, leading to access of 100+ million customer records.
IMDSv2 mitigates this because:
- PUT request required — SSRF vulnerabilities that only allow GET requests can’t obtain a session token
- Token TTL — Tokens expire, limiting the window of exploitation
- Hop limit — The token PUT request uses a TTL of 1 by default, meaning requests can’t traverse network hops (blocking attacks from containers or reverse proxies)
How It Works / Key Concepts
IMDSv1 (Vulnerable)
# Anyone on the instance can get IAM credentials with a single GET
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/my-roleOne HTTP GET = full IAM credentials. No authentication, no session, no headers required.
IMDSv2 (Secure)
# Step 1: Get a session token (PUT request with TTL header)
TOKEN=$(curl -X PUT "http://169.254.169.254/latest/api/token" \
-H "X-aws-ec2-metadata-token-ttl-seconds: 21600")
# Step 2: Use token to access metadata
curl -H "X-aws-ec2-metadata-token: $TOKEN" \
http://169.254.169.254/latest/meta-data/iam/security-credentials/my-roleConfiguration Options
AWS provides three IMDS settings per instance:
| Setting | Behavior |
|---|---|
HttpTokens: optional | Both IMDSv1 and IMDSv2 work (default for older instances) |
HttpTokens: required | Only IMDSv2 works — IMDSv1 requests are rejected |
HttpEndpoint: disabled | IMDS is completely disabled |
Migration Considerations
Enforcing IMDSv2 (HttpTokens: required) is the recommended configuration, but requires verifying that all software on the instance supports it. Most modern AWS SDKs and tools support IMDSv2 natively. Legacy applications or older SDK versions may need updates.
AWS also supports account-level defaults — new instances automatically launch with IMDSv2 required, eliminating the “forgot to set it” problem.
Related AWS Defaults
Since 2024, new AWS accounts default to IMDSv2 for new instances. However, existing instances and older accounts retain their original settings unless explicitly migrated.
How Kloudle Helps
Kloudle checks every EC2 instance for IMDSv1 exposure — flagging instances where HttpTokens is set to optional or where the metadata endpoint is enabled without session token enforcement. This is one of the highest-impact checks in Kloudle’s 1,890-check library because it directly prevents credential theft. Sovereign deployment means your instance metadata posture data stays in your account.
Related Terms
- What is Cloud Misconfiguration? — IMDSv1 is a critical misconfiguration
- What is CSPM? — Tools that check IMDS settings
- What is Security Groups? — Network-level instance protection