'How to tell what version of Instance Metadata Service(IMDS) EC2 instance is using?

I'm trying to figure out what version of Instance Metadata Service my ec2 instance is using.

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html#configuring-instance-metadata-options



Solution 1:[1]

If you want to determine it from the EC2 instance, you can just try sending a request to http://169.254.169.254/ and see what the status code is.

For example, this instance has IMDSv2 enabled and requests without a token are not accepted:

$ curl -w "%{http_code}\n" http://169.254.169.254/
401

The 401 status code means Unauthorized.

If you have AWS access keys with permissions to describe EC2 instances, then you can run the following:

$ aws ec2 describe-instances --region us-west-2 --instance-id i-0123456789abcdef --query "Reservations[0].Instances[0].MetadataOptions"
{
    "State": "applied",
    "HttpTokens": "optional",
    "HttpPutResponseHopLimit": 1,
    "HttpEndpoint": "enabled"
}

This server does not require IMDSv2 (HttpTokens is optional).

To enable IMDSv2, you can run aws ec2 modify-instance-metadata-options. See more in AWS documentation on configuring the instance metadata options.

Solution 2:[2]

Let me summarise what I found here

  1. Connect to an instance via the EC2 service in the AWS Console
  2. Put the IMDSv1 command: curl http://169.254.169.254/latest/meta-data/
  3. If you receive a list items then your instance can use IMDSv1 requests. If you receive 401 - Unauthorized then it uses IMDSv2 or non.
  4. Now put the IMDSv2 command: TOKEN=curl -X PUT "<http://169.254.169.254/latest/api/token"> -H "X-aws-ec2-metadata-token-ttl-seconds: 21600" && curl -H "X-aws-ec2-metadata-token: $TOKEN" -v http://169.254.169.254/latest/meta-data/
  5. If you receive a list of items, then your instance can use IMDSv2 requests. Otherwise, your instance is not allowed to request meta data at all (regardless of the version)

If you want to change this configuration follow this.

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 Janusz 'Ivellios' Kamie?ski
Solution 2 Jay