---
title: EC2 launch templates should use Instance Metadata Service Version 2 (IMDSv2)
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > OOTB Rules > EC2 launch templates should use
  Instance Metadata Service Version 2 (IMDSv2)
---

# EC2 launch templates should use Instance Metadata Service Version 2 (IMDSv2)
 
## Description{% #description %}

This control checks whether an Amazon EC2 launch template has **all** versions configured with Instance Metadata Service Version 2 (IMDSv2). The control fails if **any** version does not have `HttpTokens` set to `required`. Datadog recommends deleting any unused launch template versions, as they can be accidentally assigned to new infrastructure components at any time.

## Remediation{% #remediation %}

1. **Identify problematic versions**: Review all versions of the launch template to identify which ones have IMDSv1 configuration or missing metadata options.

1. **Validate version usage**: Check if any problematic versions are currently in use by Auto Scaling Groups, EC2 instances, or other services before taking action.

1. **Choose remediation approach**:

   - **Update existing versions**: Modify problematic versions to use IMDSv2 by setting `HttpTokens` to `required`
   - **Delete unused versions**: Remove versions that are not in use and have security issues
   - **Create new version**: Create a new version with proper IMDSv2 configuration and update references

To configure IMDSv2 on launch template versions, see [Configure the Instance Metadata Service options](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-options.html) in the Amazon EC2 User Guide.