IAM glossary
AWS IAM glossary

What is IMDSv2 (Instance Metadata Service v2)?

IMDSv2 is the session-oriented, token-required version of the EC2 instance metadata service, designed to make remote theft of an instance role's credentials much harder.

Every EC2 instance with an attached instance profile can fetch that role's temporary credentials from a well-known local address, 169.254.169.254. The original version (IMDSv1) answered any plain HTTP GET to that address with no authentication, which made it a common target for SSRF vulnerabilities in web applications running on the instance — a bug in unrelated app code could be turned into full credential theft for the instance role.

IMDSv2 requires a session token, fetched first via a PUT request with a custom header, before any metadata GET is honored. Because SSRF vulnerabilities are almost always limited to controlling a GET/URL and cannot set arbitrary headers or issue a PUT, this closes the most common remote exploitation path. It does not stop someone who already has code execution on the instance itself — they can complete the PUT+GET flow locally just as easily as the legitimate application does.

Example

aws ec2 modify-instance-metadata-options \
  --instance-id i-0123456789abcdef0 \
  --http-tokens required \
  --http-endpoint enabled

Common mistake

Treating IMDSv2 as a fix for over-privileged instance roles rather than a mitigation for one specific attack path (remote SSRF). The instance role itself still needs least-privilege scoping — anyone with shell access on the instance can retrieve its credentials under IMDSv2 exactly as under IMDSv1.

Related terms

Analyze a real policy free

Shieldly's AI-Powered analyzer explains why an IAM policy is risky and returns the fix in seconds. No signup, no AWS credentials. Also ships as CLI, VS Code extension, GitHub Action, and CDK Guard.

Amazon Web Services (AWS) is a trademark of Amazon.com, Inc. Shieldly is not affiliated with, endorsed by, or sponsored by Amazon Web Services.