AWS Security ChangesHomeSearch

AWS guardduty medium security documentation change

Service: guardduty · 2025-07-01 · Security-related medium

File: guardduty/latest/ug/prereq-runtime-monitoring-ec2-support.md

Summary

Updated exclusion tag requirements to specify enabling 'Allow tags in metadata' for IMDS access

Security assessment

This change addresses a security configuration requirement for proper agent exclusion tag processing. Incorrect IMDS tag access settings could lead to improper security agent deployment, potentially leaving instances unprotected. The documentation now explicitly requires enabling tag access in metadata service for security controls to function correctly.

Diff

diff --git a/guardduty/latest/ug/prereq-runtime-monitoring-ec2-support.md b/guardduty/latest/ug/prereq-runtime-monitoring-ec2-support.md
index 113655f9b..b68dfdc7c 100644
--- a//guardduty/latest/ug/prereq-runtime-monitoring-ec2-support.md
+++ b//guardduty/latest/ug/prereq-runtime-monitoring-ec2-support.md
@@ -123 +123 @@ Ensure that you add the exclusion tag to your Amazon EC2 instances before you la
-    * For the exclusion tags to work, update the instance configuration so that the instance identity document is available in instance metadata service (IMDS). Procedure to do this step is already a part of [Enabling Runtime Monitoring](./runtime-monitoring-configuration.html) for your account.
+    * Enable **Allow tags in metadata** setting for your instances. This setting is required because GuardDuty needs to read the exclusion tag from the instance metadata service (IMDS) to determine whether it should exclude the instance from agent installation. For more information, see [Enable access to tags in instance metadata](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/work-with-tags-in-IMDS.html#allow-access-to-tags-in-IMDS) in the _Amazon EC2 User Guide_.