diff --git a/enos/README.md b/enos/README.md
index 7511d97695..9ecc555977 100644
--- a/enos/README.md
+++ b/enos/README.md
@@ -66,6 +66,8 @@ following lines
 127.0.0.1       localhost       worker
 127.0.0.1       localhost       vault
 ```
+### AWS Credentials
+Copy the AWS Account credentials from doormat and set it in the terminal, where the enos commands are run.
 
 ## Executing Scenarios
 From the `enos` directory:
diff --git a/enos/modules/aws_boundary/boundary-instances.tf b/enos/modules/aws_boundary/boundary-instances.tf
index 7362884e6b..3f4bd7a204 100644
--- a/enos/modules/aws_boundary/boundary-instances.tf
+++ b/enos/modules/aws_boundary/boundary-instances.tf
@@ -26,6 +26,11 @@ resource "aws_instance" "controller" {
     encrypted   = true
   }
 
+  metadata_options {
+    http_endpoint = "enabled"
+    http_tokens   = "required"
+  }
+
   tags = merge(local.common_tags,
     {
       Name = "${local.name_prefix}-boundary-controller-${count.index}-${split(":", data.aws_caller_identity.current.user_id)[1]}"
@@ -54,6 +59,11 @@ resource "aws_instance" "worker" {
     encrypted   = true
   }
 
+  metadata_options {
+    http_endpoint = "enabled"
+    http_tokens   = "required"
+  }
+
   tags = merge(local.common_tags,
     {
       Name = "${local.name_prefix}-boundary-worker-${count.index}-${split(":", data.aws_caller_identity.current.user_id)[1]}",
diff --git a/enos/modules/aws_rdp_domain_controller/main.tf b/enos/modules/aws_rdp_domain_controller/main.tf
index 68668560df..8f9c0b8d89 100644
--- a/enos/modules/aws_rdp_domain_controller/main.tf
+++ b/enos/modules/aws_rdp_domain_controller/main.tf
@@ -281,6 +281,7 @@ resource "aws_instance" "domain_controller" {
 
   metadata_options {
     http_endpoint          = "enabled"
+    http_tokens            = "required"
     instance_metadata_tags = "enabled"
   }
   get_password_data = true
diff --git a/enos/modules/aws_rdp_member_server/main.tf b/enos/modules/aws_rdp_member_server/main.tf
index 19f4bc60c1..aa42c05035 100644
--- a/enos/modules/aws_rdp_member_server/main.tf
+++ b/enos/modules/aws_rdp_member_server/main.tf
@@ -207,6 +207,7 @@ ${var.domain_admin_password}
 
   metadata_options {
     http_endpoint          = "enabled"
+    http_tokens            = "required"
     instance_metadata_tags = "enabled"
   }
   get_password_data = true
diff --git a/enos/modules/aws_rdp_member_server_with_worker/main.tf b/enos/modules/aws_rdp_member_server_with_worker/main.tf
index a1c87f1d39..68c9187be9 100644
--- a/enos/modules/aws_rdp_member_server_with_worker/main.tf
+++ b/enos/modules/aws_rdp_member_server_with_worker/main.tf
@@ -222,6 +222,7 @@ ${var.domain_admin_password}
 
   metadata_options {
     http_endpoint          = "enabled"
+    http_tokens            = "required"
     instance_metadata_tags = "enabled"
   }
   get_password_data = true
diff --git a/enos/modules/aws_target/main.tf b/enos/modules/aws_target/main.tf
index 2179a550b0..e7694cf9b1 100644
--- a/enos/modules/aws_target/main.tf
+++ b/enos/modules/aws_target/main.tf
@@ -126,13 +126,18 @@ resource "aws_instance" "target" {
     "Type" : "target",
     "Project" : "Enos",
     "Project Name" : "qti-enos-boundary",
-    "Environment" : var.environment
+    "Environment" : var.environment,
     "Enos User" : var.enos_user,
   })
 
   root_block_device {
     encrypted = true
   }
+
+  metadata_options {
+    http_endpoint = "enabled"
+    http_tokens   = "required"
+  }
 }
 
 resource "enos_remote_exec" "wait" {
diff --git a/enos/modules/aws_vault/vault-instances.tf b/enos/modules/aws_vault/vault-instances.tf
index 2fd1b092c4..8ed35ce60a 100644
--- a/enos/modules/aws_vault/vault-instances.tf
+++ b/enos/modules/aws_vault/vault-instances.tf
@@ -17,6 +17,11 @@ resource "aws_instance" "vault_instance" {
       Type = local.vault_cluster_tag
     },
   )
+
+  metadata_options {
+    http_endpoint = "enabled"
+    http_tokens   = "required"
+  }
 }
 
 resource "enos_remote_exec" "install_dependencies" {
diff --git a/enos/modules/aws_windows_client/main.tf b/enos/modules/aws_windows_client/main.tf
index 245fa546f3..5b4b498de7 100644
--- a/enos/modules/aws_windows_client/main.tf
+++ b/enos/modules/aws_windows_client/main.tf
@@ -247,6 +247,7 @@ resource "aws_instance" "client" {
 
   metadata_options {
     http_endpoint          = "enabled"
+    http_tokens            = "required"
     instance_metadata_tags = "enabled"
   }
   get_password_data = true
diff --git a/enos/modules/aws_worker/main.tf b/enos/modules/aws_worker/main.tf
index a7ba4d11e1..e92061a439 100644
--- a/enos/modules/aws_worker/main.tf
+++ b/enos/modules/aws_worker/main.tf
@@ -161,6 +161,11 @@ resource "aws_instance" "worker" {
       Name = "${var.name_prefix}-boundary-worker-${split(":", data.aws_caller_identity.current.user_id)[1]}",
     },
   )
+
+  metadata_options {
+    http_endpoint = "enabled"
+    http_tokens   = "required"
+  }
 }
 
 resource "enos_bundle_install" "worker" {