diff --git a/main.tf b/main.tf
index 749e67d4..4e63d15b 100644
--- a/main.tf
+++ b/main.tf
@@ -553,7 +553,7 @@ locals {
 }
 
 data "aws_iam_policy_document" "assume_role_policy" {
-  count = var.create && var.create_iam_instance_profile ? 1 : 0
+  count = var.create && var.create_iam_instance_profile ? 0 : 1
 
   statement {
     sid     = "EC2AssumeRole"
diff --git a/variables.tf b/variables.tf
index 38a1b5b2..e59a9dc8 100644
--- a/variables.tf
+++ b/variables.tf
@@ -160,7 +160,7 @@ variable "metadata_options" {
   default = {
     "http_endpoint"               = "enabled"
     "http_put_response_hop_limit" = 1
-    "http_tokens"                 = "optional"
+    "http_tokens"                 = "required"
   }
 }