Protecting your Instance Metadata

Summary

AWS has released a new version of the metadata service that will better secure instance metadata against attackers. In this post, I will discuss the risk of hackers gaining access to the instance metadata service and how the latest update mitigates the risk.

Instance Metadata

All EC2 instances running in AWS have a metadata service running that allows you to query information about the instance. The service has endpoints that return security credentials for the instance profile that is being used. This is required so that the instance can assume the role when making calls against the AWS API using the instance profile (IAM role) that has been configured for the instance.

For obvious reasons, this service can only be queried from the local machine and is not exposed to external network interfaces. However, it is possible that an attacker can inject a url into your application and gain access to the credentials.

Mitigating the issue

The recently announced metadata service update aims to mitigate this vulnerability. With it comes a new set of features that allow you to better configure and control the service. I will outline these features below and give a brief explanation of how they can be used.

Turn off Metadata Service

Some machines may not need the metadata service at all. In these cases you can safely turn it off by issuing the following CLI command.

aws ec2 modify-instance-metadata-options --instance-id i-1234567898abcdef0 --http-endpoint disabled

This can be done on any machines reporting no token based metadata usage before any migration or upgrades to the metadata service. This is a reversible command, so if it breaks something you can turn it back on.

Session-based access

In order to fetch instance metadata, you can now utilize token-based access. You do this by making an initial PUT request to retrieve a token, then use this token in subsequent calls. This prevents credential information from being exposed through a simple GET request. However, for backwards compatibility reasons, the old style will still continue to function. You must perform a migration effort for session-based access to protect your instances.

New Cloudwatch Metric

There is now a per-instance cloudwatch metric called MetadataNoToken. This metric counts the number of requests made to the metadata service that did not include a token. This is a key indicator to be used during the migration to token-based metadata usage. This can also be used, before the metadata service is updated, to monitor for metadata service usage.

New IAM Conditions to require token based access

The following IAM condition requires that session-based metadata service access be required on a new instance. IAM policies should be updated to use this condition.

{
	"Version": "2012-10-17",
	"Statement": [{
		"Sid": "RunInstanceWithImdsV2Only",
		"Effect": "Allow",
		"Action": "ec2:RunInstances",
		"Resource": "*",
		"Condition": {
			"StringEquals": {
				"ec2:MetadataHttpTokens": "required"
			}
		}
	}]
}

Summarizing

While not a complete solution to the metadata service vulnerability, I feel like this is a good first step into further securing EC2 instances. New token-based access to metadata will help secure your AWS environment should an application be vulnerable to url injection. However, it will take considerable effort to upgrade applications to take advantage of it. Once the metadata service has been upgraded, I suggest that everyone monitor the MetadataNoToken metric to disable any metadata services on instances that are not using it. In addition, all new instances should require token based access. This means that IAM policies should be updated to only allow session-based access on new instances.

Avatar
Kerry Wilson
Principal Cloud Architect

Coming from a development background, Kerry’s focus is on application development, infrastructure and security automation, and applying agile software development practices to IT operations in the cloud.

Related