I recently read about the new Instance Metadata Service - IMDSv2 that fixes SSRF attacks in an EC2 environment. I understand how it works when I directly use EC2 over the cli. But I couldn't find any information what steps to take to use it in elastic beanstalk which handles EC2 instance creation on my behalf and how to enforce it there.

Can somebody tell me if this already is or will be possible in the future? I couldn't find information on that.

Thanks in advance.

Update: In addition to all the responses, we had to increase the HttpPutResponseHopLimit to 2, because we were using docker in EB which needs an extra hop out of the docker environment.

You can configure a Lambda function to get triggered whenever a new instance is launched in the Auto Scaling Group

Using Launch Template instead of Launch Configuration gives you the flexibility to set this parameter in CloudFormation, but there is no clearly documented way of doing that at the moment.

To begin with, AWS has made available a new Cloudwatch metric that provides visibility into the number of IMDS v1 calls that are being made. You can use this to monitor how often IMDS v1 calls are being made on the instance. You can set this up to monitor your Elastic Beanstalk instances.
Next, we need to enable IMDS v2 on the instances. To do this we need the Latest version of AWS CLI (aws-cli/1.16.287 Python/3.6.8). An update was released for AWS CLI with the option to enable/disable IMDSv2 under EC2.
Coming to Migration, Elastic Beanstalk lets you to configure the instances used. You can follow the steps provided in Customizing software on Linux servers and ensure Latest version of AWS CLI is present. Once setup, you can run

aws ec2 modify-instance-metadata-options --instance-id --profile --http-endpoint enabled --http-tokens required

as documented in Modify Instance Metadata Options

You can also specify commands to be run at instance startup in Elastic Beanstalk as given in Customizing software on Linux servers to include

curl http://169.254.169.254/latest/meta-data/instance-id | \
xargs -I {} aws ec2 modify-instance-metadata-options --instance-id {} --profile --http-endpoint enabled --http-tokens required

This should take care of configuring the IMDSv2 on launch for the corresponding instance.

References :

1. Configuring Instance Metadata Service

2. AWS Security Blog

   In addition to above, you can use IAM conditions to enforce IAM users cannot launch instances unless it uses IMDSv2 and also to enforce that IAM users cannot re-enable IMDSv1. (Details provided in Reference 1)

It's a bit simpler now than described in Sandesh's answer.

As mentioned here, IMDSv2 is enabled by default for AL2023, but not for AL2.

To enable IMDSv2 explicitly, you can either add the following to your .ebextensions (or in your cloudformation template), or use the web console, as described in the IMDS docs:

option_settings:
  aws:autoscaling:launchconfiguration:
    DisableIMDSv1: true

Then you can use IMDSv2 in your Elastic Beanstalk platform hooks, as described in the many IMDSv2 documentation examples.

To pick one example: You could get the EC2 instance's public hostname in a .platform hook as follows:

#!/bin/bash

TOKEN=$(curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600") failed"
EC2_PUBLIC_HOSTNAME=$(curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/public-hostname)
echo "hostname: $EC2_PUBLIC_HOSTNAME"
...

Note that the ip 169.254.169.254 is prescribed by AWS.