Amazon Elastic Compute Cloud

2026/02/24 - Amazon Elastic Compute Cloud - 2 updated api methods

Changes  Adds httpTokensEnforced property to ModifyInstanceMetadataDefaults API. Set per account or manage organization-wide using declarative policies to prevent IMDSv1-enabled instance launch and block attempts to enable IMDSv1 on existing IMDSv2-only instances.

GetInstanceMetadataDefaults (updated) Link ¶
Changes (response) 
{'AccountLevel': {'HttpTokensEnforced': 'disabled | enabled'}}

Gets the default instance metadata service (IMDS) settings that are set at the account level in the specified Amazon Web Services Region.

For more information, see Order of precedence for instance metadata options in the Amazon EC2 User Guide.

See also: AWS API Documentation

Request Syntax

client.get_instance_metadata_defaults(
    DryRun=True|False
)
type DryRun:

boolean

param DryRun:

Checks whether you have the required permissions for the operation, without actually making the request, and provides an error response. If you have the required permissions, the error response is DryRunOperation. Otherwise, it is UnauthorizedOperation.

rtype:

dict

returns:

Response Syntax

{
    'AccountLevel': {
        'HttpTokens': 'optional'|'required',
        'HttpPutResponseHopLimit': 123,
        'HttpEndpoint': 'disabled'|'enabled',
        'InstanceMetadataTags': 'disabled'|'enabled',
        'ManagedBy': 'account'|'declarative-policy',
        'ManagedExceptionMessage': 'string',
        'HttpTokensEnforced': 'disabled'|'enabled'
    }
}

Response Structure

  • (dict) --

    • AccountLevel (dict) --

      The account-level default IMDS settings.

      • HttpTokens (string) --

        Indicates whether IMDSv2 is required.

        • optional – IMDSv2 is optional, which means that you can use either IMDSv2 or IMDSv1.

        • required – IMDSv2 is required, which means that IMDSv1 is disabled, and you must use IMDSv2.

      • HttpPutResponseHopLimit (integer) --

        The maximum number of hops that the metadata token can travel.

      • HttpEndpoint (string) --

        Indicates whether the IMDS endpoint for an instance is enabled or disabled. When disabled, the instance metadata can't be accessed.

      • InstanceMetadataTags (string) --

        Indicates whether access to instance tags from the instance metadata is enabled or disabled. For more information, see View tags for your EC2 instances using instance metadata in the Amazon EC2 User Guide.

      • ManagedBy (string) --

        The entity that manages the IMDS default settings. Possible values include:

        • account - The IMDS default settings are managed by the account.

        • declarative-policy - The IMDS default settings are managed by a declarative policy and can't be modified by the account.

      • ManagedExceptionMessage (string) --

        The customized exception message that is specified in the declarative policy.

      • HttpTokensEnforced (string) --

        Indicates whether to enforce the requirement of IMDSv2 on an instance at the time of launch. When enforcement is enabled, the instance can't launch unless IMDSv2 ( HttpTokens) is set to required.

ModifyInstanceMetadataDefaults (updated) Link ¶
Changes (request) 
{'HttpTokensEnforced': 'disabled | enabled | no-preference'}

Modifies the default instance metadata service (IMDS) settings at the account level in the specified Amazon Web Services Region.

See also: AWS API Documentation

Request Syntax

client.modify_instance_metadata_defaults(
    HttpTokens='optional'|'required'|'no-preference',
    HttpPutResponseHopLimit=123,
    HttpEndpoint='disabled'|'enabled'|'no-preference',
    InstanceMetadataTags='disabled'|'enabled'|'no-preference',
    DryRun=True|False,
    HttpTokensEnforced='disabled'|'enabled'|'no-preference'
)
type HttpTokens:

string

param HttpTokens:

Indicates whether IMDSv2 is required.

  • optional – IMDSv2 is optional, which means that you can use either IMDSv2 or IMDSv1.

  • required – IMDSv2 is required, which means that IMDSv1 is disabled, and you must use IMDSv2.

type HttpPutResponseHopLimit:

integer

param HttpPutResponseHopLimit:

The maximum number of hops that the metadata token can travel. To indicate no preference, specify -1.

Possible values: Integers from 1 to 64, and -1 to indicate no preference

type HttpEndpoint:

string

param HttpEndpoint:

Enables or disables the IMDS endpoint on an instance. When disabled, the instance metadata can't be accessed.

type InstanceMetadataTags:

string

param InstanceMetadataTags:

Enables or disables access to an instance's tags from the instance metadata. For more information, see View tags for your EC2 instances using instance metadata in the Amazon EC2 User Guide.

type DryRun:

boolean

param DryRun:

Checks whether you have the required permissions for the operation, without actually making the request, and provides an error response. If you have the required permissions, the error response is DryRunOperation. Otherwise, it is UnauthorizedOperation.

type HttpTokensEnforced:

string

param HttpTokensEnforced:

Specifies whether to enforce the requirement of IMDSv2 on an instance at the time of launch. When enforcement is enabled, the instance can't launch unless IMDSv2 ( HttpTokens) is set to required. For more information, see Enforce IMDSv2 at the account level in the Amazon EC2 User Guide.

rtype:

dict

returns:

Response Syntax

{
    'Return': True|False
}

Response Structure

  • (dict) --

    • Return (boolean) --

      If the request succeeds, the response returns true. If the request fails, no response is returned, and instead an error message is returned.