{
"schemaVersion": "2.2",
"description": "Enforce IMDSv2 on EC2 instances",
"mainSteps": [
{
"action": "aws:runShellScript",
"name": "enforceIMDSv2",
"inputs": {
"runCommand": [
"#!/bin/bash",
"INSTANCE_ID=$(curl -s http://169.254.169.254/latest/meta-data/instance-id)",
"HTTP_TOKENS=$(aws ec2 describe-instances --instance-ids $INSTANCE_ID --query 'Reservations[0].Instances[0].MetadataOptions.HttpTokens' --region ap-northeast-2 --output text)",
"echo \"Current HttpTokens: $HTTP_TOKENS\"",
"if [ \"$HTTP_TOKENS\" = \"optional\" ]; then",
" echo 'IMDSv1 detected, switching to IMDSv2'",
" aws ec2 modify-instance-metadata-options --instance-id $INSTANCE_ID --http-tokens required --http-endpoint enabled --region ap-northeast-2",
"else",
" echo 'IMDSv2 already in use or not applicable'",
"fi"
]
}
}
]
}
JSON
복사
aws ssm create-document \
--name "EnforceIMDSv2" \
--content file://enforce-imdsv2.json \
--document-type "Command"
Shell
복사
aws ssm delete-document --name EnforceIMDSv2 --region ap-northeast-2
Shell
복사