riju icon indicating copy to clipboard operation
riju copied to clipboard

Published 20 hours ago verified publisher icon radian-software

Block access to EC2 Instance Metadata

Open raxod502 opened this issue 3 years ago • 2 comments

Currently it's possible to retrieve instance metadata from EC2's link-local metadata IP address. This only grants you the ability to make AWS API calls as the server instance, i.e. have read-only access to S3, but I would still consider it a security problem. I presume it's possible to set up some iptables rules on the host, or something analogous but more user-friendly.

raxod502 avatar Jul 20 '21 01:07 raxod502

We can probably implement the DOCKER-USER solution suggested in https://ops.tips/blog/blocking-docker-containers-from-ec2-metadata/.

raxod502 avatar Jul 20 '21 01:07 raxod502

This should be handled by the cgroup setting here https://github.com/raxod502/riju/blob/ff95d0aadb8f7b7af523fdcfd65972842122120e/packer/riju.slice#L14 however, that doesn't work for some reason. Will need to investigate.

raxod502 avatar Aug 30 '21 02:08 raxod502