# `AWSConfigRemediation-EnforceEC2InstanceIMDSv2` **Description** The `AWSConfigRemediation-EnforceEC2InstanceIMDSv2` runbook requires the Amazon Elastic Compute Cloud (Amazon EC2) instance you specify to use Instance Metadata Service Version 2 (IMDSv2). [Run this Automation (console)](https://console.aws.amazon.com/systems-manager/automation/execute/AWSConfigRemediation-EnforceEC2InstanceIMDSv2) **Document type** Automation **Owner** Amazon **Platforms** Linux, macOS, Windows **Parameters** + InstanceId Type: String Description: (Required) The ID of the Amazon EC2 instance you want to require to use IMDSv2. + AutomationAssumeRole Type: String Description: (Required) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf. + HttpPutResponseHopLimit Type: Integer Description: (Optional) The Hop response limit from the IMDS service back to the requester. Set to 2 or greater for EC2 instances hosting containers. Set to 0 to not change (Default). Allowed pattern: `^([1-5]?\d|6[0-4])$` Default: 0 **Required IAM permissions** The `AutomationAssumeRole` parameter requires the following actions to use the runbook successfully. + `ssm:StartAutomationExecution` + `ssm:GetAutomationExecution` + `ec2:DescribeInstances` + `ec2:ModifyInstanceMetadataOptions` **Document Steps** + `aws:executeScript` - Sets the `HttpTokens` option to `required` on the Amazon EC2 instance you specify in the `InstanceId` parameter. + `aws:assertAwsResourceProperty` - Verifies IMDSv2 is required on the Amazon EC2 instance.