Build EC2 launch template configurations with EBS, security, and user data.
Last verified: May 2026
Build EC2 launch template configs with instance types, storage, networking, and security settings.
Required Fields
LaunchTemplateNameLaunchTemplateData.ImageIdLaunchTemplateData.InstanceTypeOutput will appear here...The builder generates EC2 Launch Template specifications with: AMI ID, instance type (or list of types), key name, security groups, EBS volumes (with size, type, encryption, KMS key), user data (base64-encoded), IAM instance profile, network interfaces (subnet, public IP assignment), placement group, capacity reservation, IMDS settings, and tag specifications. Output is the LaunchTemplateData JSON ready for aws ec2 create-launch-template and Terraform aws_launch_template resources.
EC2 Launch Templates define the configuration blueprint for launching instances — AMI, instance type, key pair, security groups, EBS volumes, user data scripts, IAM instance profiles, and advanced options like placement groups and capacity reservations. Unlike the older Launch Configurations, Launch Templates support versioning, so you can iterate on configurations without recreating Auto Scaling groups. The Launch Template Builder walks you through all the configurable fields and generates the complete JSON specification ready for use with the AWS CLI, CloudFormation, or Terraform.
Your team is hardening EC2 launch templates after a security audit found 12 templates allowing IMDSv1. The builder helps regenerate all 12 templates with: HttpTokens=required (IMDSv2 only), HttpPutResponseHopLimit=1 (block container access), encrypted EBS volumes with the team's KMS key, IAM instance profile reference, and approved security groups. Updated templates are deployed via the existing Auto Scaling groups — instances roll over the next deploy cycle, and the audit finding is closed in 1 day.
ALWAYS set IMDSv2 to required (HttpTokens: required) on new launch templates. IMDSv1 is the SSRF vector exploited in the Capital One breach. Setting `HttpPutResponseHopLimit: 1` is also critical — it prevents Docker containers from accessing the metadata service through the host.
Mixed instance types in a single launch template let you blend Spot and On-Demand for cost optimization. Auto Scaling will fill On-Demand baseline first, then Spot for additional capacity. A typical pattern: 30% On-Demand, 70% Spot — saves ~50% vs all-On-Demand with similar reliability.
User data scripts are limited to 16 KB after base64 encoding. For complex bootstrap, store the script in S3 and have a small user data script that downloads + runs it. This avoids the size limit AND lets you update the bootstrap without modifying the launch template.
Launch Templates are the newer, more capable replacement for Launch Configurations. Templates support versioning (you can create new versions without replacing the template), multiple instance types in a single template, Spot options, placement groups, capacity reservations, and elastic inference accelerators. Launch Configurations are immutable — any change requires creating a new one. AWS recommends using Launch Templates for all new Auto Scaling groups, and Launch Configurations will eventually be deprecated.
IMDSv2 adds a session-based authentication layer to the instance metadata endpoint. In the launch template, set HttpTokens to 'required' to enforce IMDSv2, which means all metadata requests must include a session token obtained via a PUT request. This prevents SSRF attacks that try to query the metadata endpoint to steal IAM role credentials. You can also set HttpPutResponseHopLimit to 1 to prevent containers or forwarded requests from reaching the metadata service.
Was this tool helpful?
Disclaimer: This tool runs entirely in your browser. No data is sent to our servers. Always verify outputs before using them in production. AWS, Azure, and GCP are trademarks of their respective owners.