diff --git a/ec2-settings/README.md b/ec2-settings/README.md
new file mode 100644
index 0000000..7d06f97
--- /dev/null
+++ b/ec2-settings/README.md
@@ -0,0 +1,66 @@
+
+# aws-inf-setup :: ec2-settings
+This module will setup several default per account and region. It must be used in each region.
+
+* EBS
+ * default key (alias/aws/ebs)
+ * encrypt by default (using above key)
+ * blocks public sharing of snapshots
+* EC2
+ * blocks public sharing of AMIs
+ * sets instance metdata to allow v1 and v2
+ * makes imds token optional
+ * sets imds hop limit to 2
+ * enables metadata tags
+
+# Usage
+This module takes no attributes.
+
+```hcl
+module "ec2-settings" {
+ source = "git@github.e.it.census.gov:terraform-modules/aws-inf-setup.git//ec2-settings?ref=tf-upgrade"
+}
+```
+
+## Requirements
+
+No requirements.
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| [aws](#provider\_aws) | n/a |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_ebs_default_kms_key.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ebs_default_kms_key) | resource |
+| [aws_ebs_encryption_by_default.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ebs_encryption_by_default) | resource |
+| [aws_ebs_snapshot_block_public_access.sharing](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ebs_snapshot_block_public_access) | resource |
+| [aws_ec2_image_block_public_access.sharing](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_image_block_public_access) | resource |
+| [aws_ec2_instance_metadata_defaults.imds](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_instance_metadata_defaults) | resource |
+| [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_kms_key.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/kms_key) | data source |
+| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
+| [aws_regions.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/regions) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| [account\_alias](#input\_account\_alias) | AWS Account Alias | `string` | `""` | no |
+| [account\_id](#input\_account\_id) | AWS Account ID (default will pull from current user) | `string` | `""` | no |
+| [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component (efs, s3, ebs, kms, role, policy, security-group). This should be used primarily for common infrastructure things | `map(string)` | `{}` | no |
+| [tags](#input\_tags) | AWS Tags to apply to appropriate resources (S3, KMS). Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no |
+
+## Outputs
+
+No outputs.
+
diff --git a/ec2-settings/main.tf b/ec2-settings/main.tf
index 473c937..a9b76fb 100644
--- a/ec2-settings/main.tf
+++ b/ec2-settings/main.tf
@@ -62,9 +62,9 @@ resource "aws_ec2_image_block_public_access" "sharing" {
}
resource "aws_ec2_instance_metadata_defaults" "imds" {
+ instance_metadata_tags = "enabled"
http_endpoint = "enabled"
http_tokens = "optional"
http_put_response_hop_limit = 2
- instance_metadata_tags = "enabled"
}
diff --git a/ec2-settings/outputs.tf b/ec2-settings/outputs.tf
new file mode 100644
index 0000000..e69de29
diff --git a/ec2-settings/variables.tf b/ec2-settings/variables.tf
new file mode 100644
index 0000000..e69de29