AWS IMDSv2.

The session-token-based replacement for the AWS EC2 Instance Metadata Service, designed to defeat SSRF-based credential theft of EC2 instance role tokens by requiring a PUT-issued, short-lived token on every request. It belongs to the Cloud Security category of cybersecurity.

The session-token-based replacement for the AWS EC2 Instance Metadata Service, designed to defeat SSRF-based credential theft of EC2 instance role tokens by requiring a PUT-issued, short-lived token on every request.

IMDSv2 is the second version of the EC2 Instance Metadata Service, introduced in 2019 in direct response to the Capital One breach and other SSRF-driven cloud credential theft attacks. Unlike IMDSv1, where any code on the instance — including a webserver tricked into making a GET to `http://169.254.169.254/latest/meta-data/iam/security-credentials/`— could read the instance role credentials, IMDSv2 requires the client to first issue a PUT to `/latest/api/token` with a TTL header, then include the returned session token on every metadata read. A reflected or server-side request forgery cannot easily issue both calls because the PUT requires a non-default HTTP method and a custom header, and the response is a short-lived token. IMDSv2 also lets administrators set the `HttpPutResponseHopLimit` to 1, blocking containers on the host from reaching the metadata service. As of 2023, new AWS resources and most launch templates default to `HttpTokens: required`; legacy AMIs and infra still permitting IMDSv1 remain a common Wiz/CSPM finding and an active path for cloud token theft.

Defences for AWS IMDSv2 typically combine technical controls and operational practices, as detailed in the full definition above.

Common alternative names include: EC2 Instance Metadata Service v2, IMDSv2.