A collection of AWS Security controls for AWS EC2. Controls and templates include Directory Services (Microsoft AD and SimpleAD), SSM Configuration, Auto Scaling Groups, IAM policies, security groups, Flow logs, CloudWatch events and alarms for monitoring as well as Config rules. Configuration templates are available in AWS CloudFormation, AWS CLI and Terraform.

EC2
EC2 Instance

Configuration template to deploy an Amazon EC2 instance with customizable settings that include Instance Metadata Service (IMDS) settings, volume and interface settings, name tag, key pairs, and more.

CloudFormationTerraformAWS CLI
EC2 Launch Template

Configuration to create an Amazon EC2 Launch Template to be used to provision EC2 Instances. The template includes customizable settings such as configuring instance type, image id, IMDS enforcement, volume and interface settings, and more.

CloudFormationTerraformAWS CLI
EBS Volume Default Encryption (Account-Level)

Configuration to enable EBS default encryption for all EC2 instances in that region. Includes a CloudFormation custom resource to enable this setting.

CloudFormationTerraformAWS CLI
Provisioned IOPS SSD io1 Volume

This template creates a 100 GiB io1 volume with 100 provisioned IOPS. The volume is created in the same Availability Zone as the EC2 instance.

CloudFormation
EC2 Placement Group with Cluster Strategy

This template creates a placement group with a cluster placement strategy. The placement group is used to organize instances within the group.

CloudFormation
Launch Template with Public IP Addresses for Amazon EC2 Auto Scaling

This template creates and configures a launch template to assign public IP addresses to instances launched in a nondefault VPC. Note that when you specify a network interface for Amazon EC2 Auto Scaling, specify the VPC subnets as properties of the Auto Scaling group, and not in the launch template (because they will be ignored). This example launch template also sets the instance placement tenancy to `dedicated`.

CloudFormation
Launch template with an IAM instance profile

This template creates a launch template and an instance profile. The instance profile references the IAM role being created (with ReadOnlyAccess managed policy) and can provide the role's temporary credentials to an application that runs on the instances created by this launch template. The launch template also prevents accidental instance termination when using the Amazon EC2 console, CLI, or API, by specifying `true` for the `DisableApiTermination` property. If the instances created by this launch template are launched in a default VPC, they receive a public IP address by default. If the instances are launched in a nondefault VPC, they do not receive a public IP address by default.

CloudFormation
Create a Key Pair with Existing Key Material

This template imports an existing key pair and specifies it when launching an EC2 instance. The `AWS::EC2::KeyPair` resource is used to import the key pair with the `KeyName` property set to 'NameForMyImportedKeyPair' and the `PublicKeyMaterial` property set to the public key material. The `AWS::EC2::Instance` resource is used to launch the EC2 instance with the `ImageId` property set to 'ami-123456789012' and the `KeyName` property set to the `ImportedKeyPair` resource.

CloudFormation
EC2 Instance with New Key Pair

This template creates a new key pair and specifies it when launching an EC2 instance. The `AWS::EC2::KeyPair` resource is used to create the key pair with the `KeyName` property set to 'MyKeyPair'. The `AWS::EC2::Instance` resource is used to launch the EC2 instance with the `ImageId` property set to 'ami-123456789012' and the `KeyName` property set to the `NewKeyPair` resource.

CloudFormation
EC2 Instance with Public IP Address

This template creates an EC2 instance and associates a public IP address with the primary network interface. The instance is created in a specified subnet (subnet-123456) and references a new security group created to allow HTTPS traffic from the internet.

CloudFormation
EC2 Instance with an EBS Device Mapping

This template creates an EC2 instance with a block device mapping. It specifies an io1 volume with a size of 20 GB and overrides a device specified in the AMI block device mapping using NoDevice.

CloudFormation
EBS Volume Attachment to Existing Instance

This template attaches an EC2 EBS volume to the EC2 instance with the logical name 'Ec2Instance'. It creates a new volume with a size of 100 and in the same availability zone as the instance. The volume is tagged with a key-value pair. Then, it attaches the volume to the instance with the specified device name '/dev/sdh'.

CloudFormation
EC2 Dedicated Host

This template allocates a dedicated host for launching EC2 instances. The host is fully dedicated for your use, helping you address compliance requirements and reduce costs by allowing you to use your existing server-bound software licenses.

CloudFormation
EC2 Capacity Reservation Fleet

This template creates a Capacity Reservation Fleet with the specified attributes. The Capacity Reservation Fleet will create Capacity Reservations for 2 c4.large or c5.large instances. The Fleet prioritizes c4.large over c5.large and both instance types have the same weight.

CloudFormation
EC2 Image Builder
Amazon EC2 Image Builder Image Recipe

This CloudFormation template creates an Amazon Image Builder Image Recipe with specified components and block device mappings.

CloudFormation
Amazon EC2 Image Builder Infrastructure Configuration

This template creates an infrastructure configuration for Amazon EC2 Image Builder. It provisions resources such as instance profiles, security groups, and S3 logging buckets, and allows customization through tags.

CloudFormation
Amazon Image Builder Component using Data

This template creates an Amazon Image Builder component with data, allowing users to build, validate, and test their images using custom scripts.

CloudFormation
Amazon Image Builder Component using a Uri

This template creates an Amazon Image Builder component using a Uri. It allows you to specify the KMS key ID for encryption, the platform, version, and supported OS versions for the component.

CloudFormation
Amazon Image Builder Container Recipe

This CloudFormation template creates an Amazon Image Builder Container Recipe with specified parameters, including the parent image, components, target repository, Dockerfile template, working directory, and tags. The output is the ARN of the created Container Recipe.

CloudFormation
Amazon EC2 Image Builder AMI Distribution Configuration

This template creates a distribution configuration for distributing Amazon Machine Images (AMIs) to different regions and target accounts. It allows you to set launch permissions, specify license configurations, and distribute to organizations and organizational units.

CloudFormation
Amazon Image Builder Container Image Distribution Configuration

This template creates a distribution configuration resource for a container image. It sets the target repository and container tags for container distribution to multiple regions. The container image can be distributed to multiple regions.

CloudFormation
Amazon EC2 Image Builder Image

This template creates an Image Builder configuration that uses an image recipe, infrastructure configuration, and distribution configuration to build and distribute custom images. It also allows for the configuration of image tests and customer image tags.

CloudFormation
Amazon EC2 Image Builder Image Pipeline

This template creates an Amazon Image Builder Image Pipeline with specified parameters, including the image recipe, infrastructure configuration, distribution configuration, and schedule. It also allows for the configuration of tags and image tests.

CloudFormation
Security Group
Custom Security Group

Build a custom security group.

CloudFormationTerraformAWS CLI
Web Server Security Group

A security group that allows inbound web traffic (TCP ports 80 and 443).

CloudFormationTerraformAWS CLI
Remote Desktop Protocol (RDP) Security Group

A security group that allows inbound RDP traffic (TCP port 3389).

CloudFormationTerraformAWS CLI
SSH Security Group

A security group that allows inbound SSH traffic (TCP port 22).

CloudFormationTerraformAWS CLI
Microsoft Active Directory Security Group

A security group that allows domain controller services on Microsoft Active Directory servers.

CloudFormationTerraformAWS CLI
DNS Server Security Group

A security group that allows inbound DNS traffic (TCP and UDP port 53).

CloudFormationTerraformAWS CLI
ICMP Security Group

A security group that allows inbound ICMP traffic.

CloudFormationTerraformAWS CLI
Maria DB Security Group

A security group that allows inbound access to a Maria DB instance.

CloudFormationTerraformAWS CLI
Microsoft SQL Server Security Group

A security group that allows inbound access to a Microsoft SQL server instance.

CloudFormationTerraformAWS CLI
MySql DB Security Group.

A security group that allows inbound access to a MySQL server instance.

CloudFormationTerraformAWS CLI
Oracle DB Security Group.

A security group that allows inbound access to an Oracle server instance.

CloudFormationTerraformAWS CLI
PostgreSQL DB Security Group.

A security group that allows inbound access to an PostgreSQL server instance.

CloudFormationTerraformAWS CLI
Amazon EFS Security Group

A security group for Amazon EFS that allows inbound NFS access from resources (including the mount target) associated with this security group (TCP 2049).

CloudFormationTerraformAWS CLI
Redshift Cluster Security Group

A security group that allows inbound access to an Amazon Redshift cluster (TCP 5439)

CloudFormationTerraformAWS CLI
Amazon OpenSearch Security Group

A security group that allows inbound access to an Amazon OpenSearch (TCP 443 and 80)

CloudFormationTerraformAWS CLI
Auto Remediation with SSM
Automatically Release Unattached Elastic IPs (EIP)

Auto remediation configuration to release unattached Elastic IPs. Detection uses a managed AWS Config Rule and remediation is with SSM Automation.

CloudFormationAWS CLI
Stop/Terminate EC2 Instances Running Unapproved AMIs (by AMI ID)

Auto remediation configuration to stop or terminate EC2 instances running unapproved AMIs (by AMI ID). Detection uses a managed AWS Config Rule and remediation is with SSM Automation.

CloudFormationAWS CLI
Stop/Terminate EC2 Instances Running Unapproved AMIs (by AMI Tag)

Auto remediation configuration to stop or terminate EC2 instances running unapproved AMIs (by AMI Tag). Detection uses a managed AWS Config Rule and remediation is with SSM Automation.

CloudFormationAWS CLI
Stop/Terminate EC2 Instances Running Unapproved EC2 Tenancy Mode

Auto remediation configuration to stop or terminate EC2 instances running unapproved Tenancy Modes (Shared or Dedicated). Detection uses a managed AWS Config Rule and remediation is with SSM Automation.

CloudFormationAWS CLI
Stop/Terminate EC2 Instances Running Unapproved EC2 Instance Types

Auto remediation configuration to stop or terminate EC2 instances using unapproved instance types. Detection uses a managed AWS Config Rule and remediation is with SSM Automation.

CloudFormationAWS CLI
Stop/Terminate EC2 Instances with Public IPs

Auto remediation configuration to stop or terminate EC2 instances with public IP addresses. Detection uses a managed AWS Config Rule and remediation is with SSM Automation.

CloudFormationAWS CLI
Config Rule
EBS Encrypted Volumes Check

Checks whether the EBS volumes that are in an attached state are encrypted. If you specify the ID of a KMS key for encryption using the kmsId parameter, the rule checks if the EBS volumes in an attached state are encrypted with that KMS key.

CloudFormationTerraformAWS CLI
Security Groups SSH Restricted Check

Checks whether security groups in use do not allow restricted incoming SSH traffic. This rule applies only to IPv4.

CloudFormationTerraformAWS CLI
EC2 Approved AMIs Check (by AMI ID)

Checks whether running instances are using specified AMIs. Specify a list of approved AMI IDs. Running instances with AMIs that are not on this list are noncompliant.

CloudFormationTerraformAWS CLI
EC2 Approved AMIs Check (by AMI Tag)

Checks whether running instances are using specified AMIs. Specify the tags that identify the AMIs. Running instances with AMIs that don't have at least one of the specified tags are noncompliant.

CloudFormationTerraformAWS CLI
Security Groups Unrestricted Common Ports Check

Checks whether security groups in use do not allow unrestricted incoming TCP traffic to the specified ports. This rule applies only to IPv4.

CloudFormationTerraformAWS CLI
EC2 Desired Instance Tenancy Setting Check

A config rule that checks instances for specified tenancy. Specify AMI IDs to check instances that are launched from those AMIs or specify host IDs to check whether instances are launched on those Dedicated Hosts. Separate multiple ID values with commas.

CloudFormationTerraformAWS CLI
No EC2 Instances in Public Subnets Check

Check that no EC2 Instances are in Public Subnet.

CloudFormationTerraformAWS CLI
Security Groups Do Not Allow All Protocols Check

Check that security groups do not have an inbound rule with protocol of 'All'.

CloudFormationTerraformAWS CLI
Security Groups Do Not Allow All Ports Check

Check that security groups do not have an inbound rule with port range of 'All'.

CloudFormationTerraformAWS CLI
Launch Wizard Security Groups are Not Used Check

Check that security groups prefixed with "launch-wizard" are not associated with network interfaces.

CloudFormationTerraformAWS CLI
EC2 Desired Instance Type Check

A config rule that checks whether your EC2 instances are of the specified instance types.

CloudFormationTerraformAWS CLI
EC2 Instances Managed by Systems Manager (SSM) Check

A Config rule that checks whether the Amazon EC2 instances in your account are managed by AWS Systems Manager.

CloudFormationTerraformAWS CLI
EC2 SSM Association Compliance Status Check

A Config rule that checks whether the compliance status of the Amazon EC2 Systems Manager (SSM) association compliance is COMPLIANT or NON_COMPLIANT after the association execution on the instance. The rule is compliant if the field status is COMPLIANT.

CloudFormationTerraformAWS CLI
EC2 SSM Patch Compliance Status Check

A Config rule that checks whether the compliance status of the Amazon EC2 Systems Manager patch compliance is COMPLIANT or NON_COMPLIANT after the patch installation on the instance. The rule is compliant if the field status is COMPLIANT.

CloudFormationTerraformAWS CLI
Default Security Group Closed Check

A config rule that checks that the default security group of any Amazon Virtual Private Cloud (VPC) does not allow inbound or outbound traffic. The rule returns NOT_APPLICABLE if the security group is not default. The rule is NON_COMPLIANT if the default security group has one or more inbound or outbound traffic.

CloudFormationTerraformAWS CLI
ec2-instance-detailed-monitoring-enabled

A Config rule that checks whether detailed monitoring is enabled for EC2 instances.

CloudFormationTerraformAWS CLI
EC2 Unused EBS Volumes Check

A Config rule that checks whether EBS volumes are attached to EC2 instances. Optionally checks if EBS volumes are marked for deletion when an instance is terminated.

CloudFormationTerraformAWS CLI
Unattached Elastic IPs (EIP) Check

A Config rule that checks whether all Elastic IP addresses that are allocated to a VPC are attached to EC2 instances or in-use elastic network interfaces (ENIs).

CloudFormationTerraformAWS CLI
ec2-managedinstance-platform-check

A Config rule that checks whether EC2 managed instances have the desired configurations.

CloudFormationTerraformAWS CLI
EC2 Check Required Applications Check (SSM)

A Config rule that checks whether all of the specified applications are installed on the instance. Optionally, specify the minimum acceptable version. You can also specify the platform to apply the rule only to instances running that platform.

CloudFormationTerraformAWS CLI
EC2 Check Blacklisted Applications Check (SSM)

A Config rule that checks that none of the specified applications are installed on the instance. Optionally, specify the application version. Newer versions of the application will not be blacklisted. You can also specify the platform to apply the rule only to instances running that platform.

CloudFormationTerraformAWS CLI
EC2 Check Blacklisted Inventory (SSM)

A Config rule that checks whether instances managed by AWS Systems Manager are configured to collect blacklisted inventory types.

CloudFormationTerraformAWS CLI
EC2 EBS Default Encryption Enabled

A Config rule that checks that Amazon Elastic Block Store (EBS) encryption is enabled by default. The rule is NON_COMPLIANT if the encryption is not enabled.

CloudFormationTerraformAWS CLI
Outdated AMI Check

A config rule that checks whether all private AMIs are not older than X days.

CloudFormationTerraformAWS CLI
No Public AMI Check

A config rule that checks whether the Amazon Machine Images are not publicly accessible.

CloudFormationTerraformAWS CLI
EC2 Instances No Public IP Check

A Config rule that checks whether Amazon Elastic Compute Cloud (Amazon EC2) instances have a public IP association. The rule is NON_COMPLIANT if the publicIp field is present in the Amazon EC2 instance configuration item. This rule applies only to IPv4

CloudFormationTerraformAWS CLI
Security Groups are Attached to ENIs Check

A Config rule that checks that security groups are attached to Amazon Elastic Compute Cloud (Amazon EC2) instances or an elastic network interfaces (ENIs). The rule returns NON_COMPLIANT if the security group is not associated with an Amazon EC2 instance or an ENI

CloudFormationTerraformAWS CLI
Security Groups Open to Specific Ports Only

A Config rule that checks whether the security group with 0.0.0.0/0 of any Amazon Virtual Private Cloud (Amazon VPCs) allows only specific inbound TCP or UDP traffic. The rule and any security group with inbound 0.0.0.0/0. is NON_COMPLIANT, if you do not provide any ports in the parameters.

CloudFormationTerraformAWS CLI
EBS Snapshots Not Publicly Restorable Check

A Config rule that checks whether Amazon Elastic Block Store snapshots are not publicly restorable. The rule is NON_COMPLIANT if one or more snapshots with the RestorableByUserIds field is set to all. If this field is set to all, then Amazon EBS snapshots are public.

CloudFormationTerraformAWS CLI
EC2 Stopped Instances Check

A Config rule that checks whether there are instances stopped for more than the allowed number of days. The instance is NON_COMPLIANT if the state of the ec2 instance has been stopped for longer than the allowed number of days.

CloudFormationTerraformAWS CLI
EC2 Instance Metadata Service v2 (IMDSv2) Configured

A Config rule that checks whether your Amazon Elastic Compute Cloud (Amazon EC2) instance metadata version is configured with Instance Metadata Service Version 2 (IMDSv2). The rule is COMPLIANT if the HttpTokens is set to required and is NON_COMPLIANT if the HttpTokens is set to optional.

CloudFormationTerraformAWS CLI
EBS Volume in AWS Backup Plan Check

A Config rule that checks if Amazon Elastic Block Store (Amazon EBS) volumes are added in backup plans of AWS Backup. The rule is NON_COMPLIANT if Amazon EBS volumes are not included in backup plans.

CloudFormationTerraformAWS CLI
EC2 Auto Scaling Group Capacity Rebalancing is Enabled

A Config rule that checks if capacity rebalancing is enabled for Amazon EC2 Auto Scaling groups that use multiple instance types.

CloudFormationTerraformAWS CLI
Auto Scaling Groups have Public IP disabled in Launch Configurations

A Config rule that checks if Amazon EC2 Auto Scaling groups have public IP addresses enabled through Launch Configurations. This rule is NON_COMPLIANT if the Launch Configuration for an Auto Scaling group has AssociatePublicIpAddress set to true.

CloudFormationTerraformAWS CLI
Auto Scaling Group Enforces IMDSv2 in Launch Configuration

A Config rule that checks whether only IMDSv2 is enabled. This rule is NON_COMPLIANT if the Metadata version is not included in the launch configuration or if both Metadata V1 and V2 are enabled.

CloudFormationTerraformAWS CLI
Auto Scaling Group Enforces IMDSv2 Hop Limit in Launch Configuration

A Config rule that checks the number of network hops that the metadata token can travel. This rule is NON_COMPLIANT if the Metadata response hop limit is greater than 1.

CloudFormationTerraformAWS CLI
Auto Scaling Group Spans Multiple AZs

A Config rule that checks if the Auto Scaling group spans multiple Availability Zones. The rule is NON_COMPLIANT if the Auto Scaling group does not span multiple Availability Zones.

CloudFormationTerraformAWS CLI
Auto Scaling Groups Use Multiple EC2 Instance Types

A Config rule that checks if an Amazon Elastic Compute Cloud (Amazon EC2) Auto Scaling group uses multiple instance types. This rule is NON_COMPLIANT if the Amazon EC2 Auto Scaling group has only one instance type defined.

CloudFormationTerraformAWS CLI
EC2 Instance No Multiple ENIs Check

A Config rule that checks if Amazon Elastic Compute Cloud (Amazon EC2) uses multiple ENIs (Elastic Network Interfaces) or Elastic Fabric Adapters (EFAs). This rule is NON_COMPLIANT an Amazon EC2 instance use multiple network interfaces.

CloudFormationTerraformAWS CLI
EC2 Instance Profile Attached

A Config rule that checks if an Amazon Elastic Compute Cloud (Amazon EC2) instance has an Identity and Access Management (IAM) profile attached to it. This rule is NON_COMPLIANT if no IAM profile is attached to the Amazon EC2 instance.

CloudFormationTerraformAWS CLI
EC2 Instance No Amazon Key Pair Check

A Config rule that checks if running Amazon Elastic Compute Cloud (EC2) instances are launched using amazon key pairs. The rule is NON_COMPLIANT if a running EC2 instance is launched with a key pair.

CloudFormationTerraformAWS CLI
No EC2 Paravirtual Instances Check

A Config rule that checks if the virtualization type of an EC2 instance is paravirtual. This rule is NON_COMPLIANT for an EC2 instance if virtualizationType is set to paravirtual.

CloudFormationTerraformAWS CLI
EC2 IMDSv2 Token Hop Limit Check

A Config rule that checks if an Amazon Elastic Compute Cloud (EC2) instance metadata has a specified token hop limit that is below the desired limit. The rule is NON_COMPLIANT for an instance if it has a hop limit value above the intended limit.

CloudFormationTerraformAWS CLI
Transit Gateway Auto VPC Attach is Disabled

A Config rule that checks if Amazon Elastic Compute Cloud (Amazon EC2) Transit Gateways have AutoAcceptSharedAttachments enabled. The rule is NON_COMPLIANT for a Transit Gateway if AutoAcceptSharedAttachments is set to enable.

CloudFormationTerraformAWS CLI
EC2 Instance EBS Optimization is Enabled

A Config rule that checks whether EBS optimization is enabled for your EC2 instances that can be EBS-optimized. The rule is NON_COMPLIANT if EBS optimization is not enabled for an EC2 instance that can be EBS-optimized.

CloudFormationTerraformAWS CLI
Check if EC2 Auto Scaling group is created from an EC2 launch template

Checks if an Amazon Elastic Compute Cloud (EC2) Auto Scaling group is created from an EC2 launch template. The rule is NON_COMPLIANT if the scaling group is not created from an EC2 launch template.

CloudFormation
Create a rule to check if a recovery point was created for Amazon EC2 instances

Checks if a recovery point was created for Amazon Elastic Compute Cloud (Amazon EC2) instances. The rule is NON_COMPLIANT if the Amazon EC2 instance does not have a corresponding recovery point created within the specified time period.

CloudFormation
EC2 Launch Template Public IP Disabled

Checks if Amazon EC2 Launch Templates are set to assign public IP addresses to Network Interfaces. The rule is NON_COMPLIANT if the default version of an EC2 Launch Template has at least 1 Network Interface with 'AssociatePublicIpAddress' set to 'true'.

CloudFormation
Check EC2 Managed Instances for Blacklisted Inventory Types

Checks whether instances managed by Amazon EC2 Systems Manager are configured to collect blacklisted inventory types.

CloudFormation
Check non-default security groups attached to ENIs

Checks if non-default security groups are attached to Elastic network interfaces (ENIs). The rule is NON_COMPLIANT if the security group is not associated with an ENI. Security groups not owned by the calling account evaluate as NOT_APPLICABLE.

CloudFormation
EC2 Instances in VPC

Checks if your EC2 instances belong to a virtual private cloud (VPC). Optionally, you can specify the VPC ID to associate with your instances.

CloudFormation
IAM Policy
Allows Starting or Stopping an EC2 Instance and Modifying a Security Group

A policy that allows starting or stopping a specific EC2 instance and modifying a specific security group (Programmatically and in the Console).

CloudFormationTerraformAWS CLI
Allows Launching EC2 Instances in a Specific Subnet, Programmatically and in the Console

A policy that allows listing information for all EC2 objects and launching EC2 instances in a specific subnet. This policy also provides the permissions necessary to complete this action on the console.

CloudFormationTerraformAWS CLI
Allows Managing EC2 Security Groups Associated With a Specific VPC, Programmatically and in the Console

A policy that allows managing Amazon EC2 security groups associated with a specific virtual private cloud (VPC). This policy also provides the permissions necessary to complete this action on the console.

CloudFormationTerraformAWS CLI
Allows Full EC2 Access Within a Specific Region, Programmatically and in the Console

A policy hat allows full EC2 access within a specific region. This policy also provides the permissions necessary to complete this action on the console.

CloudFormationTerraformAWS CLI
Allow Users to Launch Approved Images and Use Existing Security Groups Only, Programmatically and in the Console.

An IAM policy that prevents users from creating their own security groups, and allows users to only launch approved AMIs (Amazon Machine Images). Approved images are identified with Tags (Example, Tag Key: Approved, Tag Value: True). This policy provides the permissions necessary to complete this action programmatically or from the console.

CloudFormationTerraformAWS CLI
Allow Starting or Stopping EC2 Instances Based on a User's Username, Programmatically and in the Console.

An IAM policy that allows an IAM user to start or stop EC2 instances, but only if the instance tag Owner has the value of that user's user name. This policy also provides the permissions necessary to complete this action on the console.

CloudFormationTerraformAWS CLI
Limit Terminating EC2 Instances to an IP Address Range

An IAM policy that prevents users from terminating EC2 instances when the request does not come from a specified IP range. This policy provides the permissions necessary to complete this action using the AWS API or AWS CLI only

CloudFormationTerraformAWS CLI
Require the Use of IMDSv2 When Launching EC2 Instances

An IAM policy that prevents users from launching new EC2 Instances if they are not configured to use the new Instance Metadata Service (IMDSv2)

CloudFormationTerraformAWS CLI