Ensure IMDS Response Hop Limit is Set to One

The IMDS (Instance Metadata Service) provides instance metadata to EC2 instances. When the IMDS hop limit is more than one, the PUT response that contains the secret token can travel outside the EC2 instance. Ensure that it's set to one for increased security.

Risk Level: Low
Cloud Entity: Amazon EC2 Instance
CloudGuard Rule ID: D9.AWS.NET.97
Covered by Spectral: No
Category: Compute


Instance where metadataOptions.httpEndpoint = 'enabled' should not have metadataOptions.httpPutResponseHopLimit > 1


From Portal

  1. Log into the AWS Management Console.
  2. Navigate to EC2 Dashboard.
  3. Select the specific EC2 instance.
  4. Under 'Instance Settings', locate 'Metadata Options'.
  5. Set 'HTTP Put Response Hop Limit' to '1' and Save changes.

From TF

resource "aws_instance" "example" {
	metadata_options {
		http_endpoint = "enabled"
		http_put_response_hop_limit = 1

From Command Line

  1. Use the AWS CLI to modify the instance metadata options:
aws ec2 modify-instance-metadata-options --instance-id [INSTANCE_ID] --http-put-response-hop-limit 1 --http-endpoint enabled


  1. https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_InstanceMetadataOptionsResponse.html

Amazon EC2 Instance

Amazon Elastic Compute Cloud (Amazon EC2) is a web service that provides secure, resizable compute capacity in the cloud. It is designed to make web-scale cloud computing easier for developers.

Compliance Frameworks

  • CloudGuard AWS All Rules Ruleset