Enable requiring IMDSv2 on new AMI registration

[tiilikainen]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Tell us about your request The security best practices for EC2 Image Builder document recommends requiring IMDSv2:

We recommend that you configure all EC2 instances that Image Builder launches from a pipeline build to use IMDSv2 so that instance metadata retrieval requests require a signed token header.

Yet there is no option to enable IMDSv2 on output AMIs. That has to be done after-the-fact using a ModifyImageAttribute call.

Tell us about the problem you're trying to solve. What are you trying to do, and why is it hard? It's not so much difficult as it forces us to take an extra step outside of image builder to configure the image before it can be used in our environment.

Are you currently working around this issue? Using ModifyImageAttribute to modify the AMI after the fact to require IMDSv2.

Additional context IMDSv2 is required for all EC2 instances in use at my company. It's easiest to bake this into the AMI from the get-go.

Attachments N/A