diff --git a/mantle/cmd/ore/aws/upload.go b/mantle/cmd/ore/aws/upload.go
index 880180926d..78d0648062 100644
--- a/mantle/cmd/ore/aws/upload.go
+++ b/mantle/cmd/ore/aws/upload.go
@@ -64,6 +64,8 @@ After a successful run, the final line of output will be a line of JSON describi
 	uploadGrantUsers         []string
 	uploadGrantUsersSnapshot []string
 	uploadTags               []string
+	uploadIMDSv2OnlySupport  bool
+	uploadVolumeType         string
 )
 
 func init() {
@@ -85,6 +87,8 @@ func init() {
 	cmdUpload.Flags().StringSliceVar(&uploadGrantUsers, "grant-user", []string{}, "grant launch permission to this AWS user ID")
 	cmdUpload.Flags().StringSliceVar(&uploadGrantUsersSnapshot, "grant-user-snapshot", []string{}, "grant snapshot volume permission to this AWS user ID")
 	cmdUpload.Flags().StringSliceVar(&uploadTags, "tags", []string{}, "list of key=value tags to attach to the AMI")
+	cmdUpload.Flags().BoolVar(&uploadIMDSv2OnlySupport, "public", false, "enable IMDSv2-only support")
+	cmdUpload.Flags().StringVar(&uploadVolumeType, "volume-type", "gp2", "EBS volume type (gp3, gp2, io1, st1, sc1, standard, etc.)")
 }
 
 func defaultBucketNameForRegion(region string) string {
@@ -243,7 +247,7 @@ func runUpload(cmd *cobra.Command, args []string) error {
 	}
 
 	// create AMIs and grant permissions
-	amiID, err := API.CreateHVMImage(sourceSnapshot, uploadDiskSizeGiB, uploadAMIName, uploadAMIDescription, uploadImageArchitecture)
+	amiID, err := API.CreateHVMImage(sourceSnapshot, uploadDiskSizeGiB, uploadAMIName, uploadAMIDescription, uploadImageArchitecture, uploadVolumeType, uploadIMDSv2OnlySupport)
 	if err != nil {
 		fmt.Fprintf(os.Stderr, "unable to create HVM image: %v\n", err)
 		os.Exit(1)
diff --git a/mantle/platform/api/aws/images.go b/mantle/platform/api/aws/images.go
index 29f4f0e0f0..d826cc7a74 100644
--- a/mantle/platform/api/aws/images.go
+++ b/mantle/platform/api/aws/images.go
@@ -329,7 +329,7 @@ func (a *API) CreateImportRole(bucket string) error {
 	return nil
 }
 
-func (a *API) CreateHVMImage(snapshotID string, diskSizeGiB uint, name string, description string, architecture string) (string, error) {
+func (a *API) CreateHVMImage(snapshotID string, diskSizeGiB uint, name string, description string, architecture string, volumetype string, imdsv2Only bool) (string, error) {
 	var awsArch string
 	var bootmode string
 	if architecture == "" {
@@ -346,7 +346,11 @@ func (a *API) CreateHVMImage(snapshotID string, diskSizeGiB uint, name string, d
 		return "", fmt.Errorf("unsupported ec2 architecture %q", architecture)
 	}
 
-	return a.createImage(&ec2.RegisterImageInput{
+	// default to gp2
+	if volumetype == "" {
+		volumetype = "gp2"
+	}
+	params := &ec2.RegisterImageInput{
 		Name:               aws.String(name),
 		Description:        aws.String(description),
 		Architecture:       aws.String(awsArch),
@@ -359,7 +363,7 @@ func (a *API) CreateHVMImage(snapshotID string, diskSizeGiB uint, name string, d
 					SnapshotId:          aws.String(snapshotID),
 					DeleteOnTermination: aws.Bool(true),
 					VolumeSize:          aws.Int64(int64(diskSizeGiB)),
-					VolumeType:          aws.String("gp2"),
+					VolumeType:          aws.String(volumetype),
 				},
 			},
 			{
@@ -370,7 +374,12 @@ func (a *API) CreateHVMImage(snapshotID string, diskSizeGiB uint, name string, d
 		EnaSupport:      aws.Bool(true),
 		SriovNetSupport: aws.String("simple"),
 		BootMode:        aws.String(bootmode),
-	})
+	}
+	if imdsv2Only {
+		params.ImdsSupport = aws.String("v2.0")
+	}
+
+	return a.createImage(params)
 }
 
 func (a *API) deregisterImageIfExists(name string) error {