How to set ec2 instance options upon elastic launch (IMDSv2 metadata specifically)

Chris Stevens December 3, 2020

One of the AWS recommendations in Security Hub considered "High" severity is setting all EC2 instances to use Instance Metadata Service Version 2 (IMDSv2). Is there a way to make this happen with elastic Bamboo instances? 

If I have access to edit the command that's run to launch the instances, that would work (--metadata-options "HttpEndpoint=enabled,HttpTokens=required" added to the aws ec2 run-instances command). If I'm not able to edit that, any other thoughts? Thanks in advance! 

3 answers

1 vote
Alistair.Mackay January 9, 2021

Hi @Chris Stevens 

The best way I've found to modify an EC2 instance when it's launched is to use CloudWatch Events and Lambda. You could adapt the solution I developed for adding additional security groups to a launching elastic agent.

See my original question and the solution.

0 votes
Lei P February 28, 2023

For whoever find this thread, let's push Atlassian support this via https://jira.atlassian.com/browse/BAM-21978 

0 votes
Lei P September 12, 2022

Hey, Atlassian team, this is a Sec issue many bamboo user will need for AWS Integration. Please provide a native solution ASAP.

Bamboo should support native IMDS v2 instead customer has to update post ec2 launch.

Suggest an answer

Log in or Sign up to answer
TAGS
AUG Leaders

Atlassian Community Events