diff --git a/CHANGELOG.md b/CHANGELOG.md
index e9ba7ef..405137a 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -378,3 +378,7 @@
* 2.7.0 -- 2024-11-13
- inventory
- add inventory code for use in decommission (not a submodule at this time)
+
+* 2.8.0 -- 2024-12-16
+ - ec2-settings
+ - add settings for ebs (encrypt by default) and ec2 (enable imdsv2), block public sharing of ami and snapshots
diff --git a/common/version.tf b/common/version.tf
index 2499cf3..4baf91e 100644
--- a/common/version.tf
+++ b/common/version.tf
@@ -1,3 +1,3 @@
locals {
- _module_version = "2.7.0"
+ _module_version = "2.8.0"
}
diff --git a/ec2-settings/README.md b/ec2-settings/README.md
new file mode 100644
index 0000000..033c4c8
--- /dev/null
+++ b/ec2-settings/README.md
@@ -0,0 +1,122 @@
+# aws-inf-setup :: iam-account-settings
+
+# Usage
+Here is a simple example, the one most commonly expected to be used.
+
+```hcl
+module "settings" {
+ source = "git@github.e.it.census.gov:terraform-modules/aws-inf-setup.git//iam-account-settings"
+
+ account_alias = "ma5-gov"
+ account_usage = "GovCloud Management Account"
+}
+```
+
+## Requirements
+
+No requirements.
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| [aws](#provider\_aws) | n/a |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_iam_account_alias.alias](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_account_alias) | resource |
+| [aws_iam_account_password_policy.account_settings](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_account_password_policy) | resource |
+| [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
+| [aws_regions.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/regions) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| [account\_alias](#input\_account\_alias) | AWS Account Alias | `string` | `""` | no |
+| [account\_id](#input\_account\_id) | AWS Account ID (default will pull from current user) | `string` | `""` | no |
+| [account\_settings](#input\_account\_settings) | Map of account setting values to change. See resource docs for aws\_iam\_account\_password\_policy for values | `map(string)` | `{}` | no |
+| [account\_usage](#input\_account\_usage) | AWS Account Usage (what we are using it for) | `string` | `""` | no |
+| [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component (efs, s3, ebs, kms, role, policy, security-group). This should be used primarily for common infrastructure things | `map(string)` | `{}` | no |
+| [tags](#input\_tags) | AWS Tags to apply to appropriate resources (S3, KMS). Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| [console\_url](#output\_console\_url) | AWS Console URL |
+
+
+# aws-inf-setup :: ec2-settings
+This module will setup several default per account and region. It must be used in each region.
+
+* EBS
+ * default key (alias/aws/ebs)
+ * encrypt by default (using above key)
+ * blocks public sharing of snapshots
+* EC2
+ * blocks public sharing of AMIs
+ * sets instance metdata to allow v1 and v2
+ * makes imds token optional
+ * sets imds hop limit to 2
+ * enables metadata tags
+
+# Usage
+This module takes no attributes.
+
+```hcl
+module "ec2-settings" {
+ source = "git@github.e.it.census.gov:terraform-modules/aws-inf-setup.git//ec2-settings?ref=tf-upgrade"
+}
+```
+
+## Requirements
+
+No requirements.
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| [aws](#provider\_aws) | n/a |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_ebs_default_kms_key.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ebs_default_kms_key) | resource |
+| [aws_ebs_encryption_by_default.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ebs_encryption_by_default) | resource |
+| [aws_ebs_snapshot_block_public_access.sharing](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ebs_snapshot_block_public_access) | resource |
+| [aws_ec2_image_block_public_access.sharing](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_image_block_public_access) | resource |
+| [aws_ec2_instance_metadata_defaults.imds](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_instance_metadata_defaults) | resource |
+| [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_kms_key.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/kms_key) | data source |
+| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
+| [aws_regions.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/regions) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| [account\_alias](#input\_account\_alias) | AWS Account Alias | `string` | `""` | no |
+| [account\_id](#input\_account\_id) | AWS Account ID (default will pull from current user) | `string` | `""` | no |
+| [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component (efs, s3, ebs, kms, role, policy, security-group). This should be used primarily for common infrastructure things | `map(string)` | `{}` | no |
+| [tags](#input\_tags) | AWS Tags to apply to appropriate resources (S3, KMS). Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no |
+
+## Outputs
+
+No outputs.
+
\ No newline at end of file
diff --git a/ec2-settings/_module_name.tf b/ec2-settings/_module_name.tf
new file mode 100644
index 0000000..79392e5
--- /dev/null
+++ b/ec2-settings/_module_name.tf
@@ -0,0 +1,3 @@
+locals {
+ _module_name = "aws-inf-setup/ec2-settings"
+}
diff --git a/ec2-settings/data.tf b/ec2-settings/data.tf
new file mode 120000
index 0000000..995624d
--- /dev/null
+++ b/ec2-settings/data.tf
@@ -0,0 +1 @@
+../common/data.tf
\ No newline at end of file
diff --git a/ec2-settings/defaults.tf b/ec2-settings/defaults.tf
new file mode 120000
index 0000000..a5556ac
--- /dev/null
+++ b/ec2-settings/defaults.tf
@@ -0,0 +1 @@
+../common/defaults.tf
\ No newline at end of file
diff --git a/ec2-settings/main.tf b/ec2-settings/main.tf
new file mode 100644
index 0000000..2af2afa
--- /dev/null
+++ b/ec2-settings/main.tf
@@ -0,0 +1,68 @@
+/*
+* # aws-inf-setup :: ec2-settings
+* This module will setup several default per account and region. It must be used in each region.
+*
+* * EBS
+* * default key (alias/aws/ebs)
+* * encrypt by default (using above key)
+* * blocks public sharing of snapshots
+* * EC2
+* * blocks public sharing of AMIs
+* * sets instance metdata to allow v1 and v2
+* * makes imds token optional
+* * sets imds hop limit to 2
+* * enables metadata tags
+*
+* # Usage
+* This module takes no attributes.
+*
+* ```hcl
+* module "ec2-settings" {
+* source = "git@github.e.it.census.gov:terraform-modules/aws-inf-setup.git//ec2-settings?ref=tf-upgrade"
+* }
+* ```
+*/
+
+locals {
+ account_id = var.account_id != "" ? var.account_id : data.aws_caller_identity.current.account_id
+ account_environment = data.aws_arn.current.partition == "aws-us-gov" ? "gov" : "ew"
+
+ base_tags = {
+ "boc:created_by" = "terraform"
+ "boc:tf_module_version" = local._module_version
+ "boc:tf_module_name" = local._module_name
+ }
+}
+
+#---
+# EBS
+#---
+data "aws_kms_key" "default" {
+ key_id = "alias/aws/ebs"
+}
+
+resource "aws_ebs_default_kms_key" "default" {
+ key_arn = aws_kms_key.default.arn
+}
+
+resource "aws_ebs_encryption_by_default" "default" {
+ enabled = true
+}
+
+resource "aws_ebs_snapshot_block_public_access" "sharing" {
+ state = "block-all-sharing"
+}
+
+#---
+# EC2
+#---
+resource "aws_ec2_image_block_public_access" "sharing" {
+ state = "block-new-sharing"
+}
+
+resource "aws_ec2_instance_metadata_defaults" "imds" {
+ http_endpoint = "enabled"
+ http_tokens = "optional"
+ http_put_response_hop_limit = 2
+ instance_metadata_tags = "enabled"
+}
diff --git a/ec2-settings/prefixes.tf b/ec2-settings/prefixes.tf
new file mode 120000
index 0000000..7e265d5
--- /dev/null
+++ b/ec2-settings/prefixes.tf
@@ -0,0 +1 @@
+../common/prefixes.tf
\ No newline at end of file
diff --git a/ec2-settings/variables.common.tf b/ec2-settings/variables.common.tf
new file mode 120000
index 0000000..7439ed8
--- /dev/null
+++ b/ec2-settings/variables.common.tf
@@ -0,0 +1 @@
+../common/variables.common.tf
\ No newline at end of file
diff --git a/ec2-settings/version.tf b/ec2-settings/version.tf
new file mode 120000
index 0000000..b83c5b7
--- /dev/null
+++ b/ec2-settings/version.tf
@@ -0,0 +1 @@
+../common/version.tf
\ No newline at end of file
diff --git a/inventory/get-billing.sh b/inventory/get-billing.sh
index 4abcc5b..ea7b42a 100755
--- a/inventory/get-billing.sh
+++ b/inventory/get-billing.sh
@@ -1,6 +1,6 @@
#!/bin/bash
-VERSION="1.0.1"
+VERSION="1.0.2"
caller=$(tf-aws sts get-caller-identity --query 'Arn' 2> /dev/null)
if [ $(echo $caller | grep -c aws-us-gov) != 0 ]
@@ -8,7 +8,6 @@ then
echo "# partition is not commercial, exiting"
exit 1
fi
-exit
lastmonth=$(date --date="-1 month" +%Y-%m-01)
nextmonth=$(date --date="+1 month" +%Y-%m-01)