All Products
Search

This Product

    Elastic Compute Service:Access instance metadata in security hardening mode only

    Document Center

    Elastic Compute Service:Access instance metadata in security hardening mode only

    Last Updated:Oct 31, 2025

    When you create an instance, enable security hardening mode for metadata access.

    Security risks

    When you access instance metadata in normal mode, requests are authenticated by IP address. This means an attacker can forge the source IP address of a request to bypass authentication, which can lead to a Server-Side Request Forgery (SSRF) attack and expose sensitive information in the instance metadata. Accessing metadata in enhanced mode requires a valid metadata access credential for identity verification and authorization. This credential can be generated and used only within a specific ECS instance and is time-limited. An attacker cannot easily guess or forge the credential, which prevents most SSRF attacks.

    Best practices

    Console

    When you create an instance on the instance purchase page, do not use Normal Mode and Security Hardening Mode. Select Security Hardening Mode instead. Note that only some of the latest public image versions support this mode.

    Important

    After you enforce the enhanced mode for accessing instance metadata, make sure all application code that accesses metadata is updated to use token-based authentication.

    API

    When you create an instance by calling the RunInstances or CreateInstance API operation, set the HttpTokens parameter to required and the HttpEndpoint parameter to enabled. This enables security hardening mode for metadata access.

    Compliance capabilities

    Block: Prevent the creation of instances not in security hardening mode

    You can use a RAM policy at the organization or account level to block operations that create instances not in security hardening mode.

    • For enterprise users:

      1. Log on to the Resource Directory console with an Alibaba Cloud account. In the navigation pane on the left, click Control Policies. Then, create a custom policy and paste the following JSON content.

        This policy denies operations that set a mode other than security hardening mode when you create an instance or modify the metadata access mode of an instance.
        {
  "Version": "1",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": [
        "ecs:RunInstances",
        "ecs:CreateInstance",
        "ecs:ModifyInstanceMetadataOptions"
      ],
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "ecs:SecurityHardeningMode": ["false"]
        }
      }
    }
  ]
}

      2. In the resource directory, select a suitable node and attach the policy. The policy then blocks the specified operations for all accounts in the directory.

    • For individual users:

      1. Log on to the Resource Access Management (RAM) console with an Alibaba Cloud account. In the navigation pane on the left, click Policies. Then, create a custom policy with the same content as the one above.

      2. Grant permissions using the policy to a RAM user, RAM user group, or RAM role.

    Fix: Remediate instances not in security hardening mode

    For more information, see Enforce the enhanced mode for an existing instance.