Skip to main content
BlueXP setup and administration

Require the use of IMDSv2 on Amazon EC2 instances

Contributors netapp-bcammett

BlueXP supports the Amazon EC2 Instance Metadata Service Version 2 (IMDSv2) with the Connector and with Cloud Volumes ONTAP (including the mediator for HA deployments). In most cases, IMDSv2 is automatically configured on new EC2 instances. IMDSv1 was enabled prior to March 2024. If required by your security policies, you might need to manually configure IMDSv2 on your EC2 instances.

Before you begin
  • The Connector version must be 3.9.38 or later.

  • Cloud Volumes ONTAP must be running one of the following versions:

    • 9.12.1 P2 (or any subsequent patch)

    • 9.13.0 P4 (or any subsequent patch)

    • 9.13.1 or any version after this release

  • This change requires you to restart the Cloud Volumes ONTAP instances.

  • These steps require the use of the AWS CLI because you must change the response hop limit to 3.

About this task

IMDSv2 provides enhanced protection against vulnerabilities. Learn more about IMDSv2 from the AWS Security Blog

The Instance Metadata Service (IMDS) is enabled as follows on EC2 instances:

  • For new Connector deployments from BlueXP or using Terraform scripts, IMDSv2 is enabled by default on the EC2 instance.

  • If you launch a new EC2 instance in AWS and then manually install the Connector software, IMDSv2 is also enabled by default.

  • If you launch the Connector from the AWS Marketplace, IMDSv1 is enabled by default. You can manually configure IMDSv2 on the EC2 instance.

  • For existing Connectors, IMDSv1 is still supported but you can manually configure IMDSv2 on the EC2 instance if you prefer.

  • For Cloud Volumes ONTAP, IMDSv1 is enabled by default on new and existing instances. You can manually configure IMDSv2 on the EC2 instances if you prefer.

Steps
  1. Require the use of IMDSv2 on the Connector instance:

    1. Connect to the Linux VM for the Connector.

      When you created the Connector instance in AWS, you provided an AWS access key and secret key. You can use this key pair to SSH to the instance. The user name for the EC2 Linux instance is ubuntu (for Connectors created prior to May 2023, the user name was ec2-user).

    2. Install the AWS CLI.

    3. Use the aws ec2 modify-instance-metadata-options command to require the use of IMDSv2 and to change the PUT response hop limit to 3.

      Example

      aws ec2 modify-instance-metadata-options \
          --instance-id <instance-id> \
          --http-put-response-hop-limit 3 \
          --http-tokens required \
          --http-endpoint enabled
    Note The http-tokens parameter sets IMDSv2 to required. When http-tokens is required, you must also set http-endpoint to enabled.
  2. Require the use of IMDSv2 on Cloud Volumes ONTAP instances:

    1. Go to the Amazon EC2 console

    2. From the navigation pane, select Instances.

    3. Select a Cloud Volumes ONTAP instance.

    4. Select Actions > Instance settings > Modify instance metadata options.

    5. On the Modify instance metadata options dialog box, select the following:

      • For Instance metadata service, select Enable.

      • For IMDSv2, select Required.

      • Select Save.

    6. Repeat these steps for other Cloud Volumes ONTAP instances, including the HA mediator.

    7. Stop and start the Cloud Volumes ONTAP instances

Result

The Connector instance and Cloud Volumes ONTAP instances are now configured to use IMDSv2.