EC2 instance metadata is data about a running EC2 instance that is accessible from within the instance itself via a special link-local HTTP endpoint at 169.254.169.254. It provides information such as the instance ID, AMI ID, public IP, IAM role credentials, availability zone, and more.
Instance metadata is a powerful built-in AWS feature that allows applications running inside an EC2 instance to discover information about themselves and their environment without any external API calls or hardcoded configuration. It is served by a special link-local address (169.254.169.254) that is only accessible from within the instance — not from the internet.
instance-id — The unique identifier of the instance (e.g., i-0123456789abcdef0)
instance-type — The type of the instance (e.g., t3.micro, m5.large)
ami-id — The ID of the AMI used to launch the instance
public-ipv4 — The public IPv4 address of the instance
local-ipv4 — The private IPv4 address within the VPC
public-hostname — The public DNS hostname
placement/availability-zone — The AZ where the instance is running (e.g., us-east-1a)
iam/security-credentials/ — Temporary IAM role credentials (Access Key, Secret Key, Session Token)
security-groups — The names of the security groups attached to the instance
hostname — The private hostname of the instance
mac — The MAC address of the network interface
user-data — The User Data script that was passed at launch
IMDSv1 — Simple GET request, no token required. Vulnerable to SSRF (Server-Side Request Forgery) attacks where a malicious application could steal IAM credentials.
IMDSv2 — Requires a PUT request to obtain a session token first. Protects against SSRF because the PUT method cannot be made by a simple redirect. AWS strongly recommends enforcing IMDSv2 on all instances.
Enforcing IMDSv2 — Set HttpTokens to required when launching: aws ec2 run-instances --metadata-options HttpTokens=required