feat(client-ec2): Adds httpTokensEnforced property to ModifyInstanceMetadataDefaults API. Set per account or manage organization-wide using declarative policies to prevent IMDSv1-enabled instance launch and block attempts to enable IMDSv1 on existing IMDSv2-only instances.

Author: awstools

clients/client-ec2/src/commands/GetInstanceMetadataDefaultsCommand.ts

@@ -52,6 +52,7 @@ export interface GetInstanceMetadataDefaultsCommandOutput extends GetInstanceMet
  * //     InstanceMetadataTags: "disabled" || "enabled",
  * //     ManagedBy: "account" || "declarative-policy",
  * //     ManagedExceptionMessage: "STRING_VALUE",
+ * //     HttpTokensEnforced: "disabled" || "enabled",
  * //   },
  * // };
  *

clients/client-ec2/src/commands/ModifyInstanceMetadataDefaultsCommand.ts

@@ -50,6 +50,7 @@ export interface ModifyInstanceMetadataDefaultsCommandOutput extends ModifyInsta
  *   HttpEndpoint: "disabled" || "enabled" || "no-preference",
  *   InstanceMetadataTags: "disabled" || "enabled" || "no-preference",
  *   DryRun: true || false,
+ *   HttpTokensEnforced: "disabled" || "enabled" || "no-preference",
  * };
  * const command = new ModifyInstanceMetadataDefaultsCommand(input);
  * const response = await client.send(command);

clients/client-ec2/src/models/enums.ts

@@ -7397,6 +7397,19 @@ export const PartitionLoadFrequency = {
  */
 export type PartitionLoadFrequency = (typeof PartitionLoadFrequency)[keyof typeof PartitionLoadFrequency];
 
+/**
+ * @public
+ * @enum
+ */
+export const HttpTokensEnforcedState = {
+  disabled: "disabled",
+  enabled: "enabled",
+} as const;
+/**
+ * @public
+ */
+export type HttpTokensEnforcedState = (typeof HttpTokensEnforcedState)[keyof typeof HttpTokensEnforcedState];
+
 /**
  * @public
  * @enum
@@ -7707,6 +7720,21 @@ export const MetadataDefaultHttpTokensState = {
 export type MetadataDefaultHttpTokensState =
   (typeof MetadataDefaultHttpTokensState)[keyof typeof MetadataDefaultHttpTokensState];
 
+/**
+ * @public
+ * @enum
+ */
+export const DefaultHttpTokensEnforcedState = {
+  disabled: "disabled",
+  enabled: "enabled",
+  no_preference: "no-preference",
+} as const;
+/**
+ * @public
+ */
+export type DefaultHttpTokensEnforcedState =
+  (typeof DefaultHttpTokensEnforcedState)[keyof typeof DefaultHttpTokensEnforcedState];
+
 /**
  * @public
  * @enum

clients/client-ec2/src/models/models_6.ts

@@ -10,6 +10,7 @@ import {
   BootModeValues,
   CapacityReservationPreference,
   CurrencyCodeValues,
+  DefaultHttpTokensEnforcedState,
   DefaultInstanceMetadataEndpointState,
   DefaultInstanceMetadataTagsState,
   DefaultRouteTableAssociationValue,
@@ -27,6 +28,7 @@ import {
   HostnameType,
   HostRecovery,
   HostTenancy,
+  HttpTokensEnforcedState,
   HttpTokensState,
   InstanceAttributeName,
   InstanceAutoRecoveryState,
@@ -735,6 +737,14 @@ export interface InstanceMetadataDefaultsResponse {
    * @public
    */
   ManagedExceptionMessage?: string | undefined;
+
+  /**
+   * <p>Indicates whether to enforce the requirement of IMDSv2 on an instance at the time of
+   *             launch. When enforcement is enabled, the instance can't launch unless IMDSv2
+   *                 (<code>HttpTokens</code>) is set to <code>required</code>.</p>
+   * @public
+   */
+  HttpTokensEnforced?: HttpTokensEnforcedState | undefined;
 }
 
 /**
@@ -7984,6 +7994,16 @@ export interface ModifyInstanceMetadataDefaultsRequest {
    * @public
    */
   DryRun?: boolean | undefined;
+
+  /**
+   * <p>Specifies whether to enforce the requirement of IMDSv2 on an instance at the time of
+   *             launch. When enforcement is enabled, the instance can't launch unless IMDSv2
+   *                 (<code>HttpTokens</code>) is set to <code>required</code>. For more information, see
+   *                 <a href="https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-IMDS-new-instances.html#enforce-imdsv2-at-the-account-level">Enforce IMDSv2 at the account level</a> in the
+   *                 <i>Amazon EC2 User Guide</i>.</p>
+   * @public
+   */
+  HttpTokensEnforced?: DefaultHttpTokensEnforcedState | undefined;
 }
 
 /**

clients/client-ec2/src/schemas/schemas_0.ts

@@ -2936,6 +2936,7 @@ const _HRo = "HostReservation";
 const _HS = "HibernationSupported";
 const _HSa = "HaStatus";
 const _HT = "HttpTokens";
+const _HTE = "HttpTokensEnforced";
 const _HTo = "HostnameType";
 const _HZI = "HostedZoneId";
 const _Hi = "Hibernate";
@@ -6705,6 +6706,7 @@ const _hS = "hostSet";
 const _hSa = "haStatus";
 const _hSi = "hibernationSupported";
 const _hT = "httpTokens";
+const _hTE = "httpTokensEnforced";
 const _hTo = "hostnameType";
 const _hZI = "hostedZoneId";
 const _i = "id";
@@ -18213,14 +18215,15 @@ export var InstanceMarketOptionsRequest$: StaticStructureSchema = [3, n0, _IMORn
 ];
 export var InstanceMetadataDefaultsResponse$: StaticStructureSchema = [3, n0, _IMDR,
   0,
-  [_HT, _HPRHL, _HE, _IMT, _MB, _MEM],
+  [_HT, _HPRHL, _HE, _IMT, _MB, _MEM, _HTE],
   [[0, { [_eQN]: `HttpTokens`
   , [_xN]: _hT }], [1, { [_eQN]: `HttpPutResponseHopLimit`
   , [_xN]: _hPRHL }], [0, { [_eQN]: `HttpEndpoint`
   , [_xN]: _hE }], [0, { [_eQN]: `InstanceMetadataTags`
   , [_xN]: _iMT }], [0, { [_eQN]: `ManagedBy`
   , [_xN]: _mB }], [0, { [_eQN]: `ManagedExceptionMessage`
-  , [_xN]: _mEM }]]
+  , [_xN]: _mEM }], [0, { [_eQN]: `HttpTokensEnforced`
+  , [_xN]: _hTE }]]
 ];
 export var InstanceMetadataOptionsRequest$: StaticStructureSchema = [3, n0, _IMORns,
   0,
@@ -20101,8 +20104,8 @@ export var ModifyInstanceMaintenanceOptionsResult$: StaticStructureSchema = [3,
 ];
 export var ModifyInstanceMetadataDefaultsRequest$: StaticStructureSchema = [3, n0, _MIMDR,
   0,
-  [_HT, _HPRHL, _HE, _IMT, _DR],
-  [0, 1, 0, 0, 2]
+  [_HT, _HPRHL, _HE, _IMT, _DR, _HTE],
+  [0, 1, 0, 0, 2, 0]
 ];
 export var ModifyInstanceMetadataDefaultsResult$: StaticStructureSchema = [3, n0, _MIMDRo,
   0,

clients/client-ec2/test/index-objects.spec.mjs

@@ -884,6 +884,7 @@ import {
   DataQuery$,
   DataResponse$,
   DeclarativePoliciesReport$,
+  DefaultHttpTokensEnforcedState,
   DefaultInstanceMetadataEndpointState,
   DefaultInstanceMetadataTagsState,
   DefaultRouteTableAssociationValue,
@@ -2745,6 +2746,7 @@ import {
   HostRecovery,
   HostReservation$,
   HostTenancy,
+  HttpTokensEnforcedState,
   HttpTokensState,
   HypervisorType,
   IamInstanceProfile$,
@@ -8515,6 +8517,7 @@ assert(typeof CopyTagsFromSource === "object");
 assert(typeof CpuManufacturer === "object");
 assert(typeof CurrencyCodeValues === "object");
 assert(typeof DatafeedSubscriptionState === "object");
+assert(typeof DefaultHttpTokensEnforcedState === "object");
 assert(typeof DefaultInstanceMetadataEndpointState === "object");
 assert(typeof DefaultInstanceMetadataTagsState === "object");
 assert(typeof DefaultRouteTableAssociationValue === "object");
@@ -8578,6 +8581,7 @@ assert(typeof HostMaintenance === "object");
 assert(typeof HostnameType === "object");
 assert(typeof HostRecovery === "object");
 assert(typeof HostTenancy === "object");
+assert(typeof HttpTokensEnforcedState === "object");
 assert(typeof HttpTokensState === "object");
 assert(typeof HypervisorType === "object");
 assert(typeof IamInstanceProfileAssociationState === "object");

clients/client-ec2/test/index-types.ts

@@ -2349,6 +2349,7 @@ export type {
   CpuManufacturer,
   CurrencyCodeValues,
   DatafeedSubscriptionState,
+  DefaultHttpTokensEnforcedState,
   DefaultInstanceMetadataEndpointState,
   DefaultInstanceMetadataTagsState,
   DefaultRouteTableAssociationValue,
@@ -2412,6 +2413,7 @@ export type {
   HostnameType,
   HostRecovery,
   HostTenancy,
+  HttpTokensEnforcedState,
   HttpTokensState,
   HypervisorType,
   IamInstanceProfileAssociationState,