{
  "schemaVersion": "2.2",
  "description": "Enforce IMDSv2 on EC2 instances",
  "mainSteps": [
    {
      "action": "aws:runShellScript",
      "name": "enforceIMDSv2",
      "inputs": {
        "runCommand": [
          "#!/bin/bash",
          "INSTANCE_ID=$(curl -s <http://169.254.169.254/latest/meta-data/instance-id>)",
          "HTTP_TOKENS=$(aws ec2 describe-instances --instance-ids $INSTANCE_ID --query 'Reservations[0].Instances[0].MetadataOptions.HttpTokens' --region ap-northeast-2 --output text)",
          "echo \\"Current HttpTokens: $HTTP_TOKENS\\"",
          "if [ \\"$HTTP_TOKENS\\" = \\"optional\\" ]; then",
          "  echo 'IMDSv1 detected, switching to IMDSv2'",
          "  aws ec2 modify-instance-metadata-options --instance-id $INSTANCE_ID --http-tokens required --http-endpoint enabled --region ap-northeast-2",
          "else",
          "  echo 'IMDSv2 already in use or not applicable'",
          "fi"
        ]
      }
    }
  ]
}

aws ssm create-document \\
  --name "EnforceIMDSv2" \\
  --content file://enforce-imdsv2.json \\
  --document-type "Command"

aws ssm delete-document --name EnforceIMDSv2 --region ap-northeast-2