AWS Security ChangesHomeSearch

AWS managedservices high security documentation change

Service: managedservices · 2025-08-13 · Security-related high

File: managedservices/latest/ctexguide/review-walkthroughs.md

Summary

Added documentation for 'Update EC2 Instance Metadata Service (IMDS) Region Setting' change type and expanded JSON policy examples for improved readability

Security assessment

The addition of IMDS region settings documentation addresses security best practices by allowing configuration of metadata service options (HttpEndpoint, HttpPutResponseHopLimit, InstanceMetadataTags) which help mitigate risks like SSRF attacks and unauthorized metadata access. The JSON formatting changes for IAM policies improve clarity but don't introduce security features.

Diff

diff --git a/managedservices/latest/ctexguide/review-walkthroughs.md b/managedservices/latest/ctexguide/review-walkthroughs.md
index 8c914d4ba..8db5c2fab 100644
--- a//managedservices/latest/ctexguide/review-walkthroughs.md
+++ b//managedservices/latest/ctexguide/review-walkthroughs.md
@@ -5 +5 @@
-Create a computer object's SPNDelete target groups (review required)Create application load balancer (ALB)Update application load balancer (ALB)Create listenerHigh availability one-tier stacks: CreatingCreate IAM entity or policy (review required)Continue rollback on custom AWS CloudFormation stackManage the VPC Subnet IPv4 Address Auto AssigmentSchedule addDelete EBS snapshot (Review Required)Update SNS topicCreate an S3 access pointCreate Custom RDS Parameter GroupAdd event notification to an Amazon S3 bucketUpdate custom deny list for AMS Automated IAM ProvisioningMigrate AWS Managed Account DNS resolver to Route 53 for SALZ accounts (review required)Disassociate resolver rules from VPCUpdate Enhanced MonitoringAssociate VPC with Resolver RuleDeploy AMS pattern (review required)Share AWS KMS KeyCreate Active Directory TrustOverride Stack Access Duration (Review required)Enable automated IAM provisioning with read-write permissionsAdd VPC static route (review required)Create IAM entity or policyUpdate IAM entity or policyDelete IAM entity or policyUpdate detailed monitoringShare directoryUnshare directoryCreate VPC endpointUpdate RDS storageUpdate an RDS multi-AZ deploymentUpdate an RDS instance typeUpdate S3 bucket versioningUpdate S3 bucket encryptionUpdating an application account (review required)Associate private IP addresses (review required) ct-1pvlhug439gl2Create Amazon RDS option group (review required)Remove TGW static routeCreate for WIGS (Review Required)Modify EBS volumeUpdate AWS Backup plan (review required)Confirm offboardingManagement account: Offboard Application accountDeploy AMS Resource Scheduler SolutionUpdate AMS Resource Scheduler SolutionDelete or deactivate access keyCreate access keyEnable Detailed MonitoringUpdate the DeleteOnTermination option (review required)Update RDS maintainance window (review required)Update RDS performance insights (review required)Create security group (review required)
+Update EC2 Instance Metadata Service (IMDS) Region SettingCreate a computer object's SPNDelete target groups (review required)Create application load balancer (ALB)Update application load balancer (ALB)Create listenerHigh availability one-tier stacks: CreatingCreate IAM entity or policy (review required)Continue rollback on custom AWS CloudFormation stackManage the VPC Subnet IPv4 Address Auto AssigmentSchedule addDelete EBS snapshot (Review Required)Update SNS topicCreate an S3 access pointCreate Custom RDS Parameter GroupAdd event notification to an Amazon S3 bucketUpdate custom deny list for AMS Automated IAM ProvisioningMigrate AWS Managed Account DNS resolver to Route 53 for SALZ accounts (review required)Disassociate resolver rules from VPCUpdate Enhanced MonitoringAssociate VPC with Resolver RuleDeploy AMS pattern (review required)Share AWS KMS KeyCreate Active Directory TrustOverride Stack Access Duration (Review required)Enable automated IAM provisioning with read-write permissionsAdd VPC static route (review required)Create IAM entity or policyUpdate IAM entity or policyDelete IAM entity or policyUpdate detailed monitoringShare directoryUnshare directoryCreate VPC endpointUpdate RDS storageUpdate an RDS multi-AZ deploymentUpdate an RDS instance typeUpdate S3 bucket versioningUpdate S3 bucket encryptionUpdating an application account (review required)Associate private IP addresses (review required) ct-1pvlhug439gl2Create Amazon RDS option group (review required)Remove TGW static routeCreate for WIGS (Review Required)Modify EBS volumeUpdate AWS Backup plan (review required)Confirm offboardingManagement account: Offboard Application accountDeploy AMS Resource Scheduler SolutionUpdate AMS Resource Scheduler SolutionDelete or deactivate access keyCreate access keyEnable Detailed MonitoringUpdate the DeleteOnTermination option (review required)Update RDS maintainance window (review required)Update RDS performance insights (review required)Create security group (review required)
@@ -10,0 +11,2 @@ Create a computer object's SPNDelete target groups (review required)Create appli
+  * Update EC2 Instance Metadata Service (IMDS) Region Setting
+
@@ -125,0 +128,95 @@ Create a computer object's SPNDelete target groups (review required)Create appli
+## Update EC2 Instance Metadata Service (IMDS) Region Setting
+
+The following shows this change type in the AMS console.
+
+![](/images/managedservices/latest/ctexguide/images/guiEc2ImdsRegionUpdateCT.png)
+
+How it works:
+
+  1. Navigate to the **Create RFC** page: In the left navigation pane of the AMS console click **RFCs** to open the RFCs list page, and then click **Create RFC**.
+
+  2. Choose a popular change type (CT) in the default **Browse change types** view, or select a CT in the **Choose by category** view.
+
+     * **Browse by change type** : You can click on a popular CT in the **Quick create** area to immediately open the **Run RFC** page. Note that you cannot choose an older CT version with quick create.
+
+To sort CTs, use the **All change types** area in either the **Card** or **Table** view. In either view, select a CT and then click **Create RFC** to open the **Run RFC** page. If applicable, a **Create with older version** option appears next to the **Create RFC** button.
+
+     * **Choose by category** : Select a category, subcategory, item, and operation and the CT details box opens with an option to **Create with older version** if applicable. Click **Create RFC** to open the **Run RFC** page.
+
+  3. On the **Run RFC** page, open the CT name area to see the CT details box. A **Subject** is required (this is filled in for you if you choose your CT in the **Browse change types** view). Open the **Additional configuration** area to add information about the RFC.
+
+In the **Execution configuration** area, use available drop-down lists or enter values for the required parameters. To configure optional execution parameters, open the **Additional configuration** area.
+
+  4. When finished, click **Run**. If there are no errors, the **RFC successfully created** page displays with the submitted RFC details, and the initial **Run output**. 
+
+  5. Open the **Run parameters** area to see the configurations you submitted. Refresh the page to update the RFC execution status. Optionally, cancel the RFC or create a copy of it with the options at the top of the page.
+
+
+
+
+How it works:
+
+  1. Use either the Inline Create (you issue a `create-rfc` command with all RFC and execution parameters included), or Template Create (you create two JSON files, one for the RFC parameters and one for the execution parameters) and issue the `create-rfc` command with the two files as input. Both methods are described here.
+
+  2. Submit the RFC: `aws amscm submit-rfc --rfc-id `ID`` command with the returned RFC ID.
+
+Monitor the RFC: `aws amscm get-rfc --rfc-id `ID`` command.
+
+
+
+
+To check the change type version, use this command:
+    
+    
+    aws amscm list-change-type-version-summaries --filter Attribute=ChangeTypeId,Value=CT_ID
+
+###### Note
+
+You can use any `CreateRfc` parameters with any RFC whether or not they are part of the schema for the change type. For example, to get notifications when the RFC status changes, add this line, `--notification "{\"Email\": {\"EmailRecipients\" : [\"[email protected]\"]}}"` to the RFC parameters part of the request (not the execution parameters). For a list of all CreateRfc parameters, see the [AMS Change Management API Reference](https://docs.aws.amazon.com/managedservices/latest/ApiReference-cm/API_CreateRfc.html).
+
+_INLINE CREATE_ :
+
+Issue the create RFC command with execution parameters provided inline (escape quotation marks when providing execution parameters inline), and then submit the returned RFC ID. For example, you can replace the contents with something like this:
+    
+    
+    aws amscm create-rfc --change-type-id "ct-2o1knqxw39mkc" --change-type-version "1.0" --title "Update IMDS region-level default settings" --execution-parameters "{\"Region\":\"us-west-2\",\"HttpEndpoint\":\"Enabled\",",\"HttpPutResponseHopLimit\":2,\"InstanceMetadataTags\":\"Enabled\",\"Priority\":\"High\"}"
+
+_TEMPLATE CREATE_ :
+
+  1. Output the execution parameters for this change type to a JSON file; this example names it UPdateEC2ImdsRegionParams.json:
+    
+        aws amscm get-change-type-version --change-type-id "ct-2o1knqxw39mkc" --query "ChangeTypeVersion.ExecutionInputSchema" --output text > UPdateEC2ImdsRegionParams.json
+
+  2. Modify and save the UPdateEC2ImdsRegionParams file, retaining only the parameters that you want to change. For example, you can replace the contents with something like this: 
+    
+        {
+    "Region": "us-west-2",
+    "HttpEndpoint": "Enabled",
+    "HttpPutResponseHopLimit": 2,
+    "InstanceMetadataTags" : "Enabled",
+    "Priority": "High"
+    }
+
+  3. Output the RFC template to a file in your current folder; this example names it UPdateEC2ImdsRegionRfc.json:
+    
+        aws amscm create-rfc --generate-cli-skeleton > UPdateEC2ImdsRegionRfc.json
+
+  4. Modify and save the UPdateEC2ImdsRegionRfc.json file. For example, you can replace the contents with something like this:
+    
+        {
+    "ChangeTypeVersion": "1.0",
+    "ChangeTypeId": "ct-2o1knqxw39mkc",
+    "Title": "Update IMDS region-level default settings"
+    }
+
+  5. Create the RFC, specifying the UPdateEC2ImdsRegionRfc file and the UPdateEC2ImdsRegionParams file:
+    
+        aws amscm create-rfc --cli-input-json file://UPdateEC2ImdsRegionRfc.json  --execution-parameters file://UPdateEC2ImdsRegionParams.json
+
+You receive the ID of the new RFC in the response and can use it to submit and monitor the RFC. Until you submit it, the RFC remains in the editing state and does not start.
+
+
+
+
+You can set default values for the instance metadata options at the account level for each AWS Region. When an instance is launched, the instance metadata options are automatically set to the account-level values. You can change these values at launch. Account-level default values do not affect existing instances. For more information about Amazon EC2 IMDS settings, see [ Where to configure instance metadata options](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-options.html#where-to-configure-instance-metadata-options)
+
@@ -854,2 +951,24 @@ _TEMPLATE CREATE_ :
-          "TrustPolicy": {"Version":"2008-10-17","Statement":[{"Effect":"Allow","Principal":{"Service":"codebuild.amazonaws.com"},"Action":"sts:AssumeRole"}]},
-          "RolePermissions": {"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":["ec2:DescribeInstanceStatus"],"Resource":"*"}]}
+          "TrustPolicy": {
+            "Version": "2008-10-17",
+            "Statement": [
+              {
+                "Effect": "Allow",
+                "Principal": {
+                  "Service": "codebuild.amazonaws.com"
+                },
+                "Action": "sts:AssumeRole"
+              }
+            ]
+          },
+          "RolePermissions": {
+            "Version": "2012-10-17",
+            "Statement": [
+              {
+                "Effect": "Allow",
+                "Action": [
+                  "ec2:DescribeInstanceStatus"
+                ],
+                "Resource": "*"
+              }
+            ]
+          }
@@ -2823 +2942,12 @@ _TEMPLATE CREATE_ :
-            "AssumeRolePolicyDocument": {"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"AWS":"arn:aws:iam::123456789012:root"},"Action":"sts:AssumeRole"}]},
+            "AssumeRolePolicyDocument": {
+              "Version": "2012-10-17",
+              "Statement": [
+                {
+                  "Effect": "Allow",
+                  "Principal": {
+                    "AWS": "arn:aws:iam::123456789012:root"
+                  },
+                  "Action": "sts:AssumeRole"
+                }
+              ]
+            },
@@ -2841 +2971,18 @@ _TEMPLATE CREATE_ :
-            "PolicyDocument": {"Version":"2012-10-17","Statement":[{"Sid":"AllQueueActions","Effect":"Allow","Action":"sqs:ListQueues","Resource":"*","Condition":{"ForAllValues:StringEquals":{"aws:tagKeys":["temporary"]}}}]}
+            "PolicyDocument": {
+              "Version": "2012-10-17",
+              "Statement": [
+                {
+                  "Sid": "AllQueueActions",
+                  "Effect": "Allow",
+                  "Action": "sqs:ListQueues",
+                  "Resource": "*",
+                  "Condition": {
+                    "ForAllValues:StringEquals": {
+                      "aws:tagKeys": [
+                        "temporary"
+                      ]
+                    }
+                  }
+                }
+              ]
+            }
@@ -2948 +3095 @@ _TEMPLATE CREATE_ :
-            "AssumeRolePolicyDocument": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"arn:aws:iam::123456789012:root\"},\"Action\":\"sts:AssumeRole\"}]}",
+            "AssumeRolePolicyDocument": {"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"AWS":"arn:aws:iam::123456789012:root"},"Action":"sts:AssumeRole"}]},
@@ -2962 +3109 @@ _TEMPLATE CREATE_ :
-            "PolicyDocument": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"AllQueueActions\",\"Effect\":\"Allow\",\"Action\":\"sqs:ListQueues\",\"Resource\":\"*\",\"Condition\":{\"ForAllValues:StringEquals\":{\"aws:tagKeys\":[\"temporary\"]}}}]}"
+            "PolicyDocument": {"Version":"2012-10-17","Statement":[{"Sid":"AllQueueActions","Effect":"Allow","Action":"sqs:ListQueues","Resource":"*","Condition":{"ForAllValues:StringEquals":{"aws:tagKeys":["temporary"]}}}]}