# Declarative policies
Declarative policies allow you to centrally declare and enforce your desired configuration for a given AWS service at scale across an organization. Once attached, the configuration is always maintained when the service adds new features or APIs. Use declarative policies to prevent noncompliant actions. For example, you can block public internet access to Amazon VPC resources across your organization.
The key benefits of using declarative policies are:
+ **Ease of use**: You can enforce the baseline configuration for an AWS service with a few selections in the AWS Organizations and AWS Control Tower consoles or with a few commands using the AWS CLI & AWS SDKs.
+ **Set once and forget**: The baseline configuration for an AWS service is always maintained, even when the service introduces new features or APIs. The baseline configuration is also maintained when new accounts are added to an organization or when new principals and resources are created.
+ **Transparency**: The account status report allows you to review the current status of all attributes supported by declarative policies for the accounts in scope. You can also create customizable error messages, which can help administrators redirect end users to internal wiki pages or provide a descriptive message that can help end users understand why an action failed.
For a full list of supported AWS services and attributes, see [Supported AWS services and attributes](#orgs_manage_policies_declarative-supported-controls).
**Topics**
+ [How declarative policies work](#orgs_manage_policies_declarative-how-work)
+ [Custom error messages](#orgs_manage_policies_declarative-custom-message)
+ [Account status report](#orgs_manage_policies_declarative-account-status-report)
+ [Supported services](#orgs_manage_policies_declarative-supported-controls)
+ [Getting started](orgs_manage_policies-declarative_getting-started.md)
+ [Best practices](orgs_manage_policies_declarative_best-practices.md)
+ [Generating the account status report](orgs_manage_policies_declarative_status-report.md)
+ [Declarative policy syntax and examples](orgs_manage_policies_declarative_syntax.md)
## How declarative policies work
Declarative policies are enforced in the service's control plane, which is an important distinction from [authorization policies such as service control policies (SCPs) and resource control policies (RCPs)](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_authorization_policies.html). While authorization policies regulate access to APIs, declarative policies are applied directly at the service level to enforce durable intent. This ensures that the baseline configuration is always enforced, even when new features or APIs are introduced by the service.
The following table helps illustrate this distinction and provides some use cases.
****
| | Service control policies | Resource control policies | Declarative policies |
| --- | --- | --- | --- |
| Why? | To centrally define and enforce consistent access controls on principals (such as IAM users and IAM roles) at scale. | To centrally define and enforce consistent access controls on resources at scale | To centrally define and enforce the baseline configuration for AWS services at scale. |
| How? | By controlling the maximum available access permissions of principals at an API level. | By controlling the maximum available access permissions for resources at an API level. | By enforcing the desired configuration of an AWS service without using API actions. |
| Governs service-linked roles? | No | No | Yes |
| Feedback mechanism | Non-customizable access denied SCP error. | Non-customizable access denied RCP error. | Customizable error message. For more information, see [Custom error messages for declarative policies](#orgs_manage_policies_declarative-custom-message). |
| Example policy | [Deny member accounts from leaving the organization](https://github.com/aws-samples/service-control-policy-examples/blob/main/Privileged-access-controls/Deny-member-accounts-from-leaving-your-AWS-organization.json) | [Restrict access to only HTTPS connections to your resources](https://github.com/aws-samples/resource-control-policy-examples/blob/main/Restrict-resource-access-patterns/Restrict-access-to-only-HTTPS-connections-to-your-resources.json) | [Allowed Images Settings](orgs_manage_policies_declarative_syntax.md#declarative-policy-ec2-ami-allowed-images) |
After you have [created](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_policies_create.html#create-declarative-policy-procedure) and [attached](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_policies_attach.html) a declarative policy, it is applied and enforced across your organization. Declarative policies can be applied to an entire organization, organizational units (OUs), or accounts. Accounts joining an organization will automatically inherit the declarative policy in the organization. For more information, see [Understanding management policy inheritance](orgs_manage_policies_inheritance_mgmt.md).
The *effective policy* is the set of rules that are inherited from the organization root and OUs along with those directly attached to the account. The effective policy specifies the final set of rules that apply to the account. For more information, see [Viewing effective management policies](orgs_manage_policies_effective.md).
If a declarative policy is [detached](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_policies_detach.html), the attribute state will roll back to its previous state before the declarative policy was attached.
## Custom error messages for declarative policies
Declarative policies allow you to create custom error messages. For example, if an API operation fails due to a declarative policy, you can set the error message or provide a custom URL, such as a link to an internal wiki or a link to a message that describes the failure. If you do not specify a custom error message, AWS Organizations provides the following default error message: `Example: This action is denied due to an organizational policy in effect`.
You can also audit the process of creating declarative policies, updating declarative policies, and deleting declarative policies with AWS CloudTrail. CloudTrail can flag API operation failures due to declarative policies. For more information, see [Logging and monitoring](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_security_incident-response.html).
**Important**
Do not include *personally identifiable information (PII)* or other sensitive information in a custom error message. PII includes general information that can be used to identify or locate an individual. It covers records such as financial, medical, educational, or employment. PII examples include addresses, bank account numbers, and phone numbers.
## Account status report for declarative policies
The *account status report* allows you to review the current status of all attributes supported by declarative policies for the accounts in scope. You can choose the accounts and organizational units (OUs) to include in the report scope, or choose an entire organization by selecting the root.
This report helps you assess readiness by providing a Region breakdown and if the current state of an attribute is *uniform across accounts* (through the `numberOfMatchedAccounts`) or *inconsistent* (through the `numberOfUnmatchedAccounts`). You can also see the *most frequent value*, which is the configuration value that is most frequently observed for the attribute.
In Figure 1, there is a generated account status report, which shows uniformity across accounts for the following attributes: VPC Block Public Access and Image Block Public Access. This means that, for each attribute, all the accounts in scope have the same configuration for that attribute.
The generated account status report shows inconsistent accounts for the following attributes: Allowed Images Settings, Instance Metadata defaults, Serial Console Access, and Snapshot Block Public Access. In this example, each attribute with an inconsistent account is due to there being one account with a different configuration value.
If there is a most frequent value, that is displayed in its respective column. For more detailed information of what each attribute controls, see [Declarative policy syntax and example policies](orgs_manage_policies_declarative_syntax.md).
You can also expand an attribute to see a Region breakdown. In this example, Image Block Public Access is expanded and in each Region, you can see that there is also uniformity across accounts.
The choice to attach a declarative policy for enforcing a baseline configuration depends on your specific use case. Use the account status report to help you assess your readiness before attaching a declarative policy.
For more information, see [Generating the account status report](orgs_manage_policies_declarative_status-report.md).
![\[Example account status report with uniformity across accounts for VPC Block Public Access and Image Block Public Access\]](http://docs.aws.amazon.com/organizations/latest/userguide/images/declarative-status-report.png)
*Figure 1: Example account status report with uniformity across accounts for VPC Block Public Access and Image Block Public Access.*
## Supported AWS services and attributes
### Supported attributes for declarative policies for EC2
The following table displays the attributes supported for Amazon EC2 related services.
**Declarative policies for EC2**
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_declarative.html)
# Getting started with declarative policies
Follow these steps to get started using declarative policies.
1. [Learn about the permissions you must have to perform declarative policy tasks](orgs_manage_policies_prereqs.md).
1. [Enable declarative policies for your organization](enable-policy-type.md).
**Note**
**Enabling trust access is required**
You must enable trusted access for the service where the declarative policy will enforce a baseline configuration. This creates a read-only service-linked role that is used to generate the account status report of what the existing configuration is for accounts across your organization.
**Using the console**
If you use the Organizations console, this step is a part of the process for enabling declarative policies.
**Using the AWS CLI**
If you use the AWS CLI, there are two separate APIs:
[EnablePolicyType](https://docs.aws.amazon.com/organizations/latest/APIReference/API_EnablePolicyType.html), which you use to enable declarative policies.
[EnableAWSServiceAccess](https://docs.aws.amazon.com/organizations/latest/APIReference/API_EnableAWSServiceAccess.html), which you use to enable trusted access.
For more information on how to enable trusted access for a specific service with the AWS CLI see, [AWS services that you can use with AWS Organizations](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_integrate_services_list.html).
1. [Run the account status report](orgs_manage_policies_declarative_status-report.md).
1. [Create a declarative policy](orgs_policies_create.md).
1. [Attach the declarative policy to your organization's root, OU, or account](orgs_policies_attach.md).
1. [View the combined effective declarative policy that applies to an account](orgs_manage_policies_effective.md).
For all of these steps, you sign in as an IAM user, assume an IAM role, or sign in as the root user ([not recommended](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#lock-away-credentials)) in the organization's management account.
**Other information**
+ [Learn declarative policy syntax and see example policies](orgs_manage_policies_declarative_syntax.md)
# Best practices for using declarative policies
AWS recommends the following best practices for using declarative policies.
## Leverage readiness assessments
Use the declarative policy *account status report* to assess the current status of all attributes supported by declarative policies for the accounts in scope. You can choose the accounts and organizational units (OUs) to include in the report scope, or choose an entire organization by selecting the root.
This report helps you assess readiness by providing a Region breakdown and if the current state of an attribute is *uniform across accounts* (through the `numberOfMatchedAccounts`) or *inconsistent* (through the `numberOfUnmatchedAccounts`). You can also see the *most frequent value*, which is the configuration value that is most frequently observed for the attribute.
The choice to attach a declarative policy for enforcing a baseline configuration depends on your specific use case.
For more information and an illustrative example, see [Account status report for declarative policies](orgs_manage_policies_declarative.md#orgs_manage_policies_declarative-account-status-report).
## Start small and then scale
To simplify debugging, start with a test policy. Validate the behavior and impact of each change before making the next change. This approach reduces the number of variables you have to account for when an error or unexpected result occurs.
For example, you can start with a test policy attached to a single account in a noncritical test environment. After you have confirmed that it works to your specifications, you can then incrementally move the policy up the organization structure to more accounts and more organizational units (OUs).
## Establish review processes
Implement processes to monitor for new declarative attributes, evaluate policy exceptions, and make adjustments to maintain alignment with your organizational security and operational requirements.
## Validate changes using `DescribeEffectivePolicy`
After you make a change to a declarative policy, check the effective policies for representative accounts below the level where you made the change. You can [view the effective policy by using the AWS Management Console](orgs_manage_policies_effective.md), or by using the [DescribeEffectivePolicy](https://docs.aws.amazon.com/organizations/latest/APIReference/API_DescribeEffectivePolicy.html) API operation or one of its AWS CLI or AWS SDK variants. Ensure that the change you made had the intended impact on the effective policy.
## Communicate and train
Ensure your organizations understand the purpose and impact of your declarative policies. Provide clear guidance on the expected behaviors and how to handle failures due to policy enforcement.
# Generating the account status report for declarative policies
The *account status report* allows you to review the current status of all attributes supported by declarative policies for the accounts in scope. You can choose the accounts and organizational units (OUs) to include in the report scope, or choose an entire organization by selecting the root.
This report helps you assess readiness by providing a Region breakdown and if the current state of an attribute is *uniform across accounts* (through the `numberOfMatchedAccounts`) or *inconsistent* (through the `numberOfUnmatchedAccounts`). You can also see the *most frequent value*, which is the configuration value that is most frequently observed for the attribute.
The choice to attach a declarative policy for enforcing a baseline configuration depends on your specific use case.
For more information and an illustrative example, see [Account status report for declarative policies](orgs_manage_policies_declarative.md#orgs_manage_policies_declarative-account-status-report).
## Prerequisites
Before you can generate an account status report, you must perform the following steps
1. The `StartDeclarativePoliciesReport` API can only be called by the management account or delegated administrators for an organization.
1. To run reports from a delegated administrator account, the account must be registered as a delegated administrator for the EC2 service.
1. You must have an S3 bucket before generating the report (create a new one or use an existing one), it must be in the same Region in which the request is made, and it must have an appropriate S3 bucket policy. For a sample S3 policy, see *Sample Amazon S3 policy* under [Examples ](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_StartDeclarativePoliciesReport.html#API_StartDeclarativePoliciesReport_Examples) in the *Amazon EC2 API Reference*
1. You must enable trusted access for the service where the declarative policy will enforce a baseline configuration. This creates a read-only service-linked role that is used to generate the account status report of what the existing configuration is for accounts across your organization.
**Using the console**
For the Organizations console, this step is a part of the process for enabling declarative policies.
**Using the AWS CLI**
For the AWS CLI, use the [EnableAWSServiceAccess](https://docs.aws.amazon.com/organizations/latest/APIReference/API_EnableAWSServiceAccess.html) API.
For more information on how to enable trusted access for a specific service with the AWS CLI see, [AWS services that you can use with AWS Organizations](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_integrate_services_list.html).
1. Only one report per organization can be generated at a time. Attempting to generate a report while another is in progress will result in an error.
## Access the compliance status report
**Minimum permissions**
To generate a compliance status report, you need permission to run the following actions:
`ec2:StartDeclarativePoliciesReport`
`ec2:DescribeDeclarativePoliciesReports`
`ec2:GetDeclarativePoliciesReportSummary`
`ec2:CancelDeclarativePoliciesReport`
`organizations:DescribeAccount`
`organizations:DescribeOrganization`
`organizations:DescribeOrganizationalUnit`
`organizations:ListAccounts`
`organizations:ListDelegatedAdministrators`
`organizations:ListAWSServiceAccessForOrganization`
`s3:PutObject`
**Note**
If your Amazon S3 bucket uses SSE-KMS encryption, you must also include the `kms:GenerateDataKey` permission in the policy.
------
#### [ AWS Management Console ]
Use the following procedure to generate an account status report.
**To generate an account status report**
1. Sign in to the [AWS Organizations console](https://console.aws.amazon.com/organizations/v2). You must sign in as an IAM user, assume an IAM role, or sign in as the root user ([not recommended](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#lock-away-credentials)) in the organization’s management account.
1. On the **Policies** page, choose **Declarative policies for EC2**.
1. On the **Declarative policies for EC2** page, choose **View account status report** from the **Actions** dropdown menu.
1. On the **View account status report** page, choose **Generate status report**.
1. In the **Organizational structure** widget, specify which organizational units (OUs) you want to include in the report.
1. Choose **Submit**.
------
#### [ AWS CLI & AWS SDKs ]
**To generate an account status report**
Use the following operations to generate a compliance status report, check on its status, and view the report:
+ `ec2:start-declarative-policies-report`: Generates an account status report. The report is generated asynchronously, and can take several hours to complete. For more information, see [StartDeclarativePoliciesReport](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_StartDeclarativePoliciesReport.html) in the *Amazon EC2 API Reference*.
+ `ec2:describe-declarative-policies-report`: Describes the metadata of an account status report, including the state of the report. For more information, see [DescribeDeclarativePoliciesReports](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeDeclarativePoliciesReports.html) in the *Amazon EC2 API Reference*.
+ `ec2:get-declarative-policies-report-summary`: Retrieves a summary of the account status report. For more information, see [GetDeclarativePoliciesReportSummary](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_GetDeclarativePoliciesReportSummary.html) in the *Amazon EC2 API Reference*.
+ `ec2:cancel-declarative-policies-report`: Cancels the generation of an account status report. For more information, see [CancelDeclarativePoliciesReport](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CancelDeclarativePoliciesReport.html) in the *Amazon EC2 API Reference*.
Before generating a report, grant the EC2 declarative policies principal access to the Amazon S3 bucket where the report will be stored. To do this, attach the following policy to the bucket. Replace `amzn-s3-demo-bucket` with your actual Amazon S3 bucket name, and `identity_ARN` with the IAM identity used to call the `StartDeclarativePoliciesReport` API.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "DeclarativePoliciesReportDelivery",
"Effect": "Allow",
"Principal": {
"AWS": "identity_ARN"
},
"Action": [
"s3:PutObject"
],
"Resource": "arn:aws:s3:::amzn-s3-demo-bucket/*",
"Condition": {
"StringEquals": {
"aws:CalledViaLast": "organizations.amazonaws.com"
}
}
}
]
}
```
------
------
# Declarative policy syntax and examples
This page describes declarative policy syntax and provides examples.
## Considerations
+ When you configure a service attribute using a declarative policy, it might impact multiple APIs. Any noncompliant actions will fail.
+ Account administrators will not be able to modify the value of the service attribute at the individual account level.
## Syntax for declarative policies
A declarative policy is a plaintext file that is structured according to the rules of [JSON](http://json.org). The syntax for declarative policies follows the syntax for all management policy types. For a complete discussion of that syntax, see [Policy syntax and inheritance for management policy types](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_inheritance_mgmt.html). This topic focuses on applying that general syntax to the specific requirements of the declarative policy type.
The following example shows basic declarative policy syntax:
```
{
"ec2_attributes": {
"exception_message": {
"@@assign": "Your custom error message.https://myURL"
}
}
}
```
+ The `ec2_attributes` field key name. Declarative policies always start with a fixed key name for the given AWS service. It's the top line in the example policy above. Currently declarative policies only supported Amazon EC2 related services.
+ Under `ec2_attributes`, you can use `exception_message` to set a custom error message. For more information, see [Custom error messages for declarative policies](orgs_manage_policies_declarative.md#orgs_manage_policies_declarative-custom-message).
+ Under `ec2_attributes`, you can insert one or more of the supported declarative policies. For those schemas, see [Supported declarative policies](#declarative-policy-examples).
## Supported declarative policies
The following are the AWS services and attributes that declarative policies support. In some of the following examples, the JSON whitespace formatting might be compressed to save space.
+ VPC Block Public Access
+ Serial Console Access
+ Image Block Public Access
+ Allowed Images Settings
+ Instance Metadata
+ Snapshot Block Public Access
------
#### [ VPC Block Public Access ]
**Policy effect**
Controls if resources in Amazon VPCs and subnets can reach the internet through internet gateways (IGWs). For more information, see [Configuration for internet access](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-igw-internet-access.html) in the *Amazon Virtual Private Cloud User Guide*.
**Policy contents**
```
{
"ec2_attributes": {
"vpc_block_public_access": {
"internet_gateway_block": {
"mode": {
"@@assign": "block_ingress"
},
"exclusions_allowed": {
"@@assign": "enabled"
}
}
}
}
}
```
The following are the available fields for this attribute:
+ `"internet_gateway"`:
+ `"mode"`:
+ `"off"`: VPC BPA is not enabled.
+ `"block_ingress"`: All internet traffic to the VPCs (except for VPCs or subnets which are excluded) is blocked. Only traffic to and from NAT gateways and egress-only internet gateways is allowed because these gateways only allow outbound connections to be established.
+ `"block_bidirectional"`: All traffic to and from internet gateways and egress-only internet gateways (except for excluded VPCs and subnets) is blocked.
+ `"exclusions_allowed"`: An exclusion is a mode that can be applied to a single VPC or subnet that exempts it from the account’s VPC BPA mode and will allow bidirectional or egress-only access.
+ `"enabled"`: Exclusions can be created by the account.
+ `"disabled"`: Exclusions cannot be created by the account.
**Note**
You can use the attribute to configure if exclusions are allowed, but you cannot create exclusions with this attribute itself. To create exclusions, you must create them in the account that owns the VPC. For more information about creating VPC BPA exclusions, see [Create and delete exclusions](https://docs.aws.amazon.com//vpc/latest/userguide/security-vpc-bpa.html#security-vpc-bpa-exclusions) in the *Amazon VPC User Guide*.
**Considerations**
If you use this attribute in a declarative policy, you cannot use the following operations to modify the enforced configuration for the accounts in scope. This list is not exhaustive:
+ `ModifyVpcBlockPublicAccessOptions`
+ `CreateVpcBlockPublicAccessExclusion`
+ `ModifyVpcBlockPublicAccessExclusion`
------
#### [ Serial Console Access ]
**Policy effect**
Controls if the EC2 serial console is accessible. For more information about the EC2 serial console, see [EC2 Serial Console](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-serial-console.html) in the *Amazon Elastic Compute Cloud User Guide*.
**Policy contents**
```
{
"ec2_attributes": {
"serial_console_access": {
"status": {
"@@assign": "enabled"
}
}
}
}
```
The following are the available fields for this attribute:
+ `"status"`:
+ `"enabled"`: EC2 serial console access is allowed.
+ `"disabled"`: EC2 serial console access is blocked.
**Considerations**
If you use this attribute in a declarative policy, you cannot use the following operations to modify the enforced configuration for the accounts in scope. This list is not exhaustive:
+ `EnableSerialConsoleAccess`
+ `DisableSerialConsoleAccess`
------
#### [ Image Block Public Access ]
**Policy effect**
Controls if Amazon Machine Images (AMIs) are publicly sharable. For more information about AMIs, see [Amazon Machine Images (AMIs)](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AMIs.html) in the *Amazon Elastic Compute Cloud User Guide*.
**Policy contents**
```
{
"ec2_attributes": {
"image_block_public_access": {
"state": {
"@@assign": "block_new_sharing"
}
}
}
}
```
The following are the available fields for this attribute:
+ `"state"`:
+ `"unblocked"`: No restrictions on the public sharing of AMIs.
+ `"block_new_sharing"`: Blocks new public sharing of AMIs. AMIs that were already publicly shared remain publicly available.
**Considerations**
If you use this attribute in a declarative policy, you cannot use the following operations to modify the enforced configuration for the accounts in scope. This list is not exhaustive:
+ `EnableImageBlockPublicAccess`
+ `DisableImageBlockPublicAccess`
------
#### [ Allowed Images Settings ]
**Policy effect**
Controls the discovery and use of Amazon Machine Images (AMI) in Amazon EC2 with Allowed AMIs. For more information about AMIs, see [Control the discovery and use of AMIs in Amazon EC2 with Allowed AMIs](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-allowed-amis.html) in the *Amazon Elastic Compute Cloud User Guide*.
**Policy contents**
The following are the available fields for this attribute:
```
{
"ec2_attributes": {
"allowed_images_settings": {
"state": {
"@@assign": "enabled"
},
"image_criteria": {
"criteria_1": {
"allowed_image_providers": {
"@@append": [
"amazon"
]
}
}
}
}
}
}
```
+ `"state"`:
+ `"enabled"`: The attribute is active and enforced.
+ `"disabled"`: The attribute is inactive and not enforced.
+ `"audit_mode"`: The attribute is in audit mode. This means it will identify noncompliant images but not block their use.
+ `"image_criteria"`: A list of criteria. Support up to 10 criteria with the name from criteria\$11 to criteria\$110
+ `"allowed_image_providers"`: A comma-separated list of 12 digit account IDs or owner alias of amazon, aws\$1marketplace, aws\$1backup\$1vault.
+ `"image_names"`: The names of the allowed images. Names can include wildcards (? and \$1). Length: 1–128 characters. With ?, the minimum is 3 characters.
+ `"marketplace_product_codes"`: The AWS Marketplace product codes for allowed images. Length: 1-25 characters Valid characters: Letters (A–Z, a–z) and numbers (0–9)
+ `"creation_date_condition"`: The maximum age for allowed images.
+ `"maximum_days_since_created"`: The maximum number of days that have elapsed since the image was created. Valid Range: Minimum value of 0. Maximum value of 2147483647.
+ `"deprecation_time_condition"`: The maximum period since deprecation for allowed images.
+ `"maximum_days_since_deprecated"`: The maximum number of days that have elapsed since the image was deprecated. Valid Range: Minimum value of 0. Maximum value of 2147483647.
**Considerations**
If you use this attribute in a declarative policy, you cannot use the following operations to modify the enforced configuration for the accounts in scope. This list is not exhaustive:
+ `EnableAllowedImagesSettings`
+ `ReplaceImageCriteriaInAllowedImagesSettings`
+ `DisableAllowedImagesSettings`
------
#### [ Instance Metadata ]
**Policy effect**
Controls IMDS defaults and IMDSv2 enforcement for all new EC2 instance launches. For more information about IMDS defaults and IMDSv2 enforcement, see [Use instance metadata to manage your EC2 instance](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html) in the *Amazon EC2 User Guide*.
**Policy contents**
The following are the available fields for this attribute:
```
{
"ec2_attributes": {
"instance_metadata_defaults": {
"http_tokens": {
"@@assign": "required"
},
"http_put_response_hop_limit": {
"@@assign": "4"
},
"http_endpoint": {
"@@assign": "enabled"
},
"instance_metadata_tags": {
"@@assign": "enabled"
},
"http_tokens_enforced": {
"@@assign": "enabled"
}
}
}
}
```
+ `"http_tokens"`:
+ `"no_preference"`: Other defaults apply. For example, AMI defaults if applicable.
+ `"required"`: IMDSv2 must be used. IMDSv1 is not allowed.
+ `"optional"`: Both IMDSv1 and IMDSv2 are allowed.
**Note**
**Metadata version**
Before setting `http_tokens` to `required` (IMDSv2 must be used), make sure that none of your instances are making IMDSv1 calls. For more information, see [Step 1: Identify instances with IMDSv2=optional and audit IMDSv1 usage](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-metadata-transition-to-version-2.html#path-step-1) in the *Amazon EC2 User Guide*.
+ `"http_put_response_hop_limit"`:
+ `"Integer"`: Integer value from -1 to 64, representing the maximum number of hops the metadata token can travel. To indicate no preference, specify -1.
**Note**
**Hop limit**
If `http_tokens` is set to `required`, it is recommended to set `http_put_response_hop_limit` to a minimum of 2. For more information, see [Instance metadata access considerations](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instancedata-data-retrieval.html#imds-considerations) in the *Amazon Elastic Compute Cloud User Guide*.
+ `"http_endpoint"`:
+ `"no_preference"`: Other defaults apply. For example, AMI defaults if applicable.
+ `"enabled"`: The instance metadata service endpoint is accessible.
+ `"disabled"`: The instance metadata service endpoint is not accessible.
+ `"instance_metadata_tags"`:
+ `"no_preference"`: Other defaults apply. For example, AMI defaults if applicable.
+ `"enabled"`: Instance tags can be accessed from instance metadata.
+ `"disabled"`: Instance tags cannot be accessed from instance metadata.
+ `"http_tokens_enforced":`
+ `"no_preference"`: Other defaults apply. For example, AMI defaults if applicable.
+ `"enabled"`: IMDSv2 must be used. Attempts to launch an IMDSv1 instance or to enable IMDSv1 on existing instances will fail.
+ `"disabled"`: Both IMDSv1 and IMDSv2 are allowed.
**Warning**
**IMDSv2 enforcement**
Enabling IMDSv2 enforcement while allowing IMDSv1 and IMDSv2 (token optional) will cause launch failures, unless IMDSv1 is explicitly disabled, either through launch parameters or AMI defaults. For more information, see [Launching an IMDSv1-enabled instance fails](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/troubleshooting-launch.html#launching-an-imdsv1-enabled-instance-fails) in the *Amazon EC2 User Guide*.
------
#### [ Snapshot Block Public Access ]
**Policy effect**
Controls if Amazon EBS snapshots are publicly accessible. For more information about EBS snapshots, see [Amazon EBS snapshots](https://docs.aws.amazon.com/ebs/latest/userguide/ebs-snapshots.html) in the *Amazon Elastic Block Store User Guide*.
**Policy contents**
```
{
"ec2_attributes": {
"snapshot_block_public_access": {
"state": {
"@@assign": "block_new_sharing"
}
}
}
}
```
The following are the available fields for this attribute:
+ `"state"`:
+ `"block_all_sharing"`: Blocks all public sharing of snapshots. Snapshots that were already publicly shared are treated as private and are no longer publicly available.
+ `"block_new_sharing"`: Blocks new public sharing of snapshots. Snapshots that were already publicly shared remain publicly available.
+ `"unblocked"`: No restrictions on the public sharing of snapshots.
**Considerations**
If you use this attribute in a declarative policy, you cannot use the following operations to modify the enforced configuration for the accounts in scope. This list is not exhaustive:
+ `EnableSnapshotBlockPublicAccess`
+ `DisableSnapshotBlockPublicAccess`
------