Find what is making EC2 IMDSv1 calls on Windows Servers

Question

I'm trying to get all our instances (all Windows based) upgraded to IMDSv2 and have been following the advice found here https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html#instance-metadata-transition-to-version-2 and using CloudWatch to find instances making MetadataNoToken calls (i.e. using IMDSv1).

I've found several instances using IMDSv1 this way, but I can't work out how to find out what is making the calls from with the OS. According to CloudWatch each server is making one call per minute to the IMDSv1 service.

The support article mentions upgrading any AWS SDKs or CLI tools, but the servers in question don't have seem to have any SDKs or CLI tools installed.

Each instance has the following AWS published tools installed on them:

• Amazon SSM Agent
• Amazon CloudWatch Agent
• AWS Tools for Windows
• EC2ConfigService
• AWS PV Drivers
• aws-cfn-bootstrap

I've updated the Amazon SSM Agent and the Amazon CloudWatch Agent to the latest versions. But I can't find any information about how to update the AWS Tools for Windows package.

I've also run TCPView from Sysinternals on the servers and tried to find what process is making calls to the 169.254.169.254 endpoint, but it doesn't seem to pick up any traffic to that address.

I'm reluctant to just disable IMDSv1 and do a scream test as they are production servers.

If anyone has any advice or guidance on how to find what is making the IMDSv1 calls it would be appreciated.

Answer 1

I figured it out in the end, using the £Windows Resource Monitor Network monitor" tool, I found the exectucable that was making the calls. I've written up the proceess in this blog post:

https://www.greystone.co.uk/2022/03/24/how-greystone-upgraded-its-aws-ec2-instances-to-use-instance-meta-data-service-version-2-imdsv2/