Cloud & Infrastructure Practical By Samson Tanimawo, PhD Published Feb 27, 2026 4 min read

EC2 IMDSv2 Enforcement

IMDSv1 is vulnerable to SSRF; IMDSv2 closes the gap. The enforcement and the migration.

Why

IMDSv1 returns credentials to anyone who can make a GET request through SSRF in app code.

IMDSv2 requires a session token, blocking the SSRF path.

Account-level setting: IMDSv2 required for new instances.

Existing instances: replace or update via launch template.

Verify apps work without IMDSv1. Some legacy SDKs need updates.

Test in non-prod; identify the laggards; update.