diff --git a/machine/v1beta1/types_awsprovider.go b/machine/v1beta1/types_awsprovider.go
index d1d5941fa83..fa054ffc221 100644
--- a/machine/v1beta1/types_awsprovider.go
+++ b/machine/v1beta1/types_awsprovider.go
@@ -265,18 +265,72 @@ const (
 	MetadataServiceAuthenticationOptional = "Optional"
 )
 
+// HTTPEndpointState describes the state of the HTTP metadata endpoint.
+type HTTPEndpointState string
+
+const (
+	// HTTPEndpointDisabled disables the HTTP metadata endpoint.
+	HTTPEndpointDisabled HTTPEndpointState = "Disabled"
+	// HTTPEndpointEnabled enables the HTTP metadata endpoint.
+	HTTPEndpointEnabled HTTPEndpointState = "Enabled"
+)
+
+// InstanceMetadataTagsState describes the state of access to instance tags from the instance metadata.
+type InstanceMetadataTagsState string
+
+const (
+	// InstanceMetadataTagsDisabled disables access to instance tags from the instance metadata.
+	InstanceMetadataTagsDisabled InstanceMetadataTagsState = "Disabled"
+	// InstanceMetadataTagsEnabled enables access to instance tags from the instance metadata.
+	InstanceMetadataTagsEnabled InstanceMetadataTagsState = "Enabled"
+)
+
 // MetadataServiceOptions defines the options available to a user when configuring
 // Instance Metadata Service (IMDS) Options.
 type MetadataServiceOptions struct {
+	// httpEndpoint enables or disables the HTTP metadata endpoint on your instances.
+	// Valid values are "Enabled" and "Disabled".
+	// When set to Enabled, the HTTP metadata endpoint is accessible.
+	// When set to Disabled, you cannot access your instance metadata.
+	// When omitted, the value is determined by account-level settings in the AWS Region, or the AWS service default if not configured at the account level.
+	// The typical AWS service default is Enabled.
+	// +kubebuilder:validation:Enum=Enabled;Disabled
+	// +optional
+	HTTPEndpoint *HTTPEndpointState `json:"httpEndpoint,omitempty"`
+
+	// httpPutResponseHopLimit is the maximum number of hops that the metadata token can travel.
+	// Valid values range from 1 to 64.
+	// When omitted, the value is determined by AWS in the following order of precedence:
+	// 1) Account-level settings in the AWS Region (if configured)
+	// 2) AMI configuration: 1 when ImdsSupport is v1.0, 2 when ImdsSupport is v2.0
+	// +kubebuilder:validation:Minimum=1
+	// +kubebuilder:validation:Maximum=64
+	// +optional
+	HTTPPutResponseHopLimit *int64 `json:"httpPutResponseHopLimit,omitempty"`
+
 	// authentication determines whether or not the host requires the use of authentication when interacting with the metadata service.
-	// When using authentication, this enforces v2 interaction method (IMDSv2) with the metadata service.
-	// When omitted, this means the user has no opinion and the value is left to the platform to choose a good
-	// default, which is subject to change over time. The current default is optional.
+	// When set to Required, this enforces v2 interaction method (IMDSv2) with the metadata service.
+	// When set to Optional, both IMDSv1 and IMDSv2 are allowed.
+	// When omitted, the value is determined by AWS in the following order of precedence:
+	// 1) Account-level settings in the AWS Region (if configured)
+	// 2) AMI configuration: Required when ImdsSupport is v2.0, Optional when ImdsSupport is v1.0
 	// At this point this field represents `HttpTokens` parameter from `InstanceMetadataOptionsRequest` structure in AWS EC2 API
 	// https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_InstanceMetadataOptionsRequest.html
 	// +kubebuilder:validation:Enum=Required;Optional
 	// +optional
 	Authentication MetadataServiceAuthentication `json:"authentication,omitempty"`
+
+	// instanceMetadataTags enables or disables access to instance tags from the instance metadata.
+	// Valid values are "Enabled" and "Disabled".
+	// When set to Enabled, you can retrieve your instance tags from the instance metadata.
+	// When set to Disabled, instance tags are not accessible from the instance metadata.
+	// When omitted, the value is determined by account-level settings in the AWS Region, or the AWS service default if not configured at the account level.
+	// The typical AWS service default is Disabled.
+	// For more information, see the AWS documentation:
+	// https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Tags.html#work-with-tags-in-IMDS
+	// +kubebuilder:validation:Enum=Enabled;Disabled
+	// +optional
+	InstanceMetadataTags *InstanceMetadataTagsState `json:"instanceMetadataTags,omitempty"`
 }
 
 // AWSResourceReference is a reference to a specific AWS resource by ID, ARN, or filters.
diff --git a/machine/v1beta1/zz_generated.deepcopy.go b/machine/v1beta1/zz_generated.deepcopy.go
index d08906c7d87..3eb371ff9ba 100644
--- a/machine/v1beta1/zz_generated.deepcopy.go
+++ b/machine/v1beta1/zz_generated.deepcopy.go
@@ -79,7 +79,7 @@ func (in *AWSMachineProviderConfig) DeepCopyInto(out *AWSMachineProviderConfig)
 		*out = new(SpotMarketOptions)
 		(*in).DeepCopyInto(*out)
 	}
-	out.MetadataServiceOptions = in.MetadataServiceOptions
+	in.MetadataServiceOptions.DeepCopyInto(&out.MetadataServiceOptions)
 	if in.PlacementGroupPartition != nil {
 		in, out := &in.PlacementGroupPartition, &out.PlacementGroupPartition
 		*out = new(int32)
@@ -1482,6 +1482,21 @@ func (in *MachineTemplateSpec) DeepCopy() *MachineTemplateSpec {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *MetadataServiceOptions) DeepCopyInto(out *MetadataServiceOptions) {
 	*out = *in
+	if in.HTTPEndpoint != nil {
+		in, out := &in.HTTPEndpoint, &out.HTTPEndpoint
+		*out = new(HTTPEndpointState)
+		**out = **in
+	}
+	if in.HTTPPutResponseHopLimit != nil {
+		in, out := &in.HTTPPutResponseHopLimit, &out.HTTPPutResponseHopLimit
+		*out = new(int64)
+		**out = **in
+	}
+	if in.InstanceMetadataTags != nil {
+		in, out := &in.InstanceMetadataTags, &out.InstanceMetadataTags
+		*out = new(InstanceMetadataTagsState)
+		**out = **in
+	}
 	return
 }
 
diff --git a/machine/v1beta1/zz_generated.swagger_doc_generated.go b/machine/v1beta1/zz_generated.swagger_doc_generated.go
index 093a4007694..849ef373a40 100644
--- a/machine/v1beta1/zz_generated.swagger_doc_generated.go
+++ b/machine/v1beta1/zz_generated.swagger_doc_generated.go
@@ -145,8 +145,11 @@ func (LoadBalancerReference) SwaggerDoc() map[string]string {
 }
 
 var map_MetadataServiceOptions = map[string]string{
-	"":               "MetadataServiceOptions defines the options available to a user when configuring Instance Metadata Service (IMDS) Options.",
-	"authentication": "authentication determines whether or not the host requires the use of authentication when interacting with the metadata service. When using authentication, this enforces v2 interaction method (IMDSv2) with the metadata service. When omitted, this means the user has no opinion and the value is left to the platform to choose a good default, which is subject to change over time. The current default is optional. At this point this field represents `HttpTokens` parameter from `InstanceMetadataOptionsRequest` structure in AWS EC2 API https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_InstanceMetadataOptionsRequest.html",
+	"":                        "MetadataServiceOptions defines the options available to a user when configuring Instance Metadata Service (IMDS) Options.",
+	"httpEndpoint":            "httpEndpoint enables or disables the HTTP metadata endpoint on your instances. Valid values are \"Enabled\" and \"Disabled\". When set to Enabled, the HTTP metadata endpoint is accessible. When set to Disabled, you cannot access your instance metadata. When omitted, the value is determined by account-level settings in the AWS Region, or the AWS service default if not configured at the account level. The typical AWS service default is Enabled.",
+	"httpPutResponseHopLimit": "httpPutResponseHopLimit is the maximum number of hops that the metadata token can travel. Valid values range from 1 to 64. When omitted, the value is determined by AWS in the following order of precedence: 1) Account-level settings in the AWS Region (if configured) 2) AMI configuration: 1 when ImdsSupport is v1.0, 2 when ImdsSupport is v2.0",
+	"authentication":          "authentication determines whether or not the host requires the use of authentication when interacting with the metadata service. When set to Required, this enforces v2 interaction method (IMDSv2) with the metadata service. When set to Optional, both IMDSv1 and IMDSv2 are allowed. When omitted, the value is determined by AWS in the following order of precedence: 1) Account-level settings in the AWS Region (if configured) 2) AMI configuration: Required when ImdsSupport is v2.0, Optional when ImdsSupport is v1.0 At this point this field represents `HttpTokens` parameter from `InstanceMetadataOptionsRequest` structure in AWS EC2 API https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_InstanceMetadataOptionsRequest.html",
+	"instanceMetadataTags":    "instanceMetadataTags enables or disables access to instance tags from the instance metadata. Valid values are \"Enabled\" and \"Disabled\". When set to Enabled, you can retrieve your instance tags from the instance metadata. When set to Disabled, instance tags are not accessible from the instance metadata. When omitted, the value is determined by account-level settings in the AWS Region, or the AWS service default if not configured at the account level. The typical AWS service default is Disabled. For more information, see the AWS documentation: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Tags.html#work-with-tags-in-IMDS",
 }
 
 func (MetadataServiceOptions) SwaggerDoc() map[string]string {
diff --git a/openapi/generated_openapi/zz_generated.openapi.go b/openapi/generated_openapi/zz_generated.openapi.go
index f29c06e82fb..90dc42ca89f 100644
--- a/openapi/generated_openapi/zz_generated.openapi.go
+++ b/openapi/generated_openapi/zz_generated.openapi.go
@@ -43047,9 +43047,30 @@ func schema_openshift_api_machine_v1beta1_MetadataServiceOptions(ref common.Refe
 				Description: "MetadataServiceOptions defines the options available to a user when configuring Instance Metadata Service (IMDS) Options.",
 				Type:        []string{"object"},
 				Properties: map[string]spec.Schema{
+					"httpEndpoint": {
+						SchemaProps: spec.SchemaProps{
+							Description: "httpEndpoint enables or disables the HTTP metadata endpoint on your instances. Valid values are \"Enabled\" and \"Disabled\". When set to Enabled, the HTTP metadata endpoint is accessible. When set to Disabled, you cannot access your instance metadata. When omitted, the value is determined by account-level settings in the AWS Region, or the AWS service default if not configured at the account level. The typical AWS service default is Enabled.",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"httpPutResponseHopLimit": {
+						SchemaProps: spec.SchemaProps{
+							Description: "httpPutResponseHopLimit is the maximum number of hops that the metadata token can travel. Valid values range from 1 to 64. When omitted, the value is determined by AWS in the following order of precedence: 1) Account-level settings in the AWS Region (if configured) 2) AMI configuration: 1 when ImdsSupport is v1.0, 2 when ImdsSupport is v2.0",
+							Type:        []string{"integer"},
+							Format:      "int64",
+						},
+					},
 					"authentication": {
 						SchemaProps: spec.SchemaProps{
-							Description: "authentication determines whether or not the host requires the use of authentication when interacting with the metadata service. When using authentication, this enforces v2 interaction method (IMDSv2) with the metadata service. When omitted, this means the user has no opinion and the value is left to the platform to choose a good default, which is subject to change over time. The current default is optional. At this point this field represents `HttpTokens` parameter from `InstanceMetadataOptionsRequest` structure in AWS EC2 API https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_InstanceMetadataOptionsRequest.html",
+							Description: "authentication determines whether or not the host requires the use of authentication when interacting with the metadata service. When set to Required, this enforces v2 interaction method (IMDSv2) with the metadata service. When set to Optional, both IMDSv1 and IMDSv2 are allowed. When omitted, the value is determined by AWS in the following order of precedence: 1) Account-level settings in the AWS Region (if configured) 2) AMI configuration: Required when ImdsSupport is v2.0, Optional when ImdsSupport is v1.0 At this point this field represents `HttpTokens` parameter from `InstanceMetadataOptionsRequest` structure in AWS EC2 API https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_InstanceMetadataOptionsRequest.html",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"instanceMetadataTags": {
+						SchemaProps: spec.SchemaProps{
+							Description: "instanceMetadataTags enables or disables access to instance tags from the instance metadata. Valid values are \"Enabled\" and \"Disabled\". When set to Enabled, you can retrieve your instance tags from the instance metadata. When set to Disabled, instance tags are not accessible from the instance metadata. When omitted, the value is determined by account-level settings in the AWS Region, or the AWS service default if not configured at the account level. The typical AWS service default is Disabled. For more information, see the AWS documentation: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Tags.html#work-with-tags-in-IMDS",
 							Type:        []string{"string"},
 							Format:      "",
 						},