What's new?

• Added a Comparison Mode sub-policy to the EC2 instance and account-attributes Metadata Service hop-limit controls, governing how the configured HTTP Token Hop Limit is compared against the actual value: Exact match (the default, preserving the original behavior where Check requires an exact match and Enforce sets the exact value) or Maximum, treating the value as a security ceiling so a lower, more restrictive hop limit is compliant and Enforce only lowers a limit that exceeds it. Defaulting to Exact match keeps existing installations unchanged.
• The AWS > EC2 > Snapshot > CMDB control is now event-driven: it reacts to the AWS EBS Snapshot Notification completion event (and the multi-volume equivalent) to capture the snapshot pending to available transition, and no longer re-runs every 5 minutes while a snapshot is pending. This sharply reduces redundant control runs for large or long-running snapshots, along with the matching event, worker, and notification cascade. The periodic discovery sweep remains the backstop if a completion event is ever missed. Requires the AWS mod version that forwards these snapshot events.

Policy Types

Added

• AWS > EC2 > Account Attributes > Instance Metadata Service Defaults > HTTP Token Hop Limit > Comparison Mode
• AWS > EC2 > Instance > Metadata Service > HTTP Token Hop Limit > Comparison Mode

Bug fixes

• Fixed the AWS > EC2 > Instance > CMDB control entering an error state when the Guardrails role lacks permission for the enrichment APIs ec2:DescribeInstanceImageMetadata or ec2:DescribeImages. These calls only add supplementary AMI image metadata, so a permission denial (or the metadata API being unavailable in a given region or partition) now degrades gracefully by leaving those fields empty instead of failing the whole control. A permission denial is logged as a warning (naming the missing permission) so the gap is discoverable and fixable.