Support ECS `ECS_AWSVPC_BLOCK_IMDS` configuration

[jarreds]

What I'd like:

I'd to be able to configure the ECS agent to ECS_AWSVPC_BLOCK_IMDS=true.

[jarreds]

One thing that is unclear to me is if this setting is actually necessary for IMDSv2, but I suppose that's for another repo.

[vyaghras]

@jarreds Thanks for raising this issue. We will look in to this. Also

but I suppose that's for another repo

Can you explain which another repo you are referring to.

[arnaldo2792]

Hi @jarreds, I read the code in the ECS agent and ECS_AWSVPC_BLOCK_IMDS is used to configure the VPC ENI plugin. This configuration will add a blackhole rule for all the IMDS endpoints, which basically means block access to IMDS for the task. Since we don't support that setting yet throught the API, a workaround could be to block access to IMDS at the instance level as this page suggests:

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-IMDS-new-instances.html#configure-IMDS-new-instances--turn-off-instance-metadata

Unfortunately, as I said, this will disable IMDS access at the instance level, which may not be ideal for your use case.

[jarreds]

@vyaghras I was referring to https://github.com/aws/amazon-ecs-agent.

@arnaldo2792 thank you for the recommendation. Unfortunately, we do need IMDS enabled on the instance. We'd simply like to block tasks from accessing it.

[arnaldo2792]

@jarreds, no worries! Let us take this back to the team to prioritize and check when can this be delivered.