After the annonce on the AWS Security blog for protecting AWS instance from SSRF attack, we should test and implement this new security feature: https://aws.amazon.com/fr/blogs/security/defense-in-depth-open-firewalls-reverse-proxies-ssrf-vulnerabilities-ec2-instance-metadata-service/
AWS documentation about this feature : https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html#configuring-instance-metadata-options
There is 2 methods in order to use it :
- Add a policy to your users/geoups with this example policy :
{
"Version": "2012-10-17",
"Statement": [{
"Sid": "RunInstanceWithImdsV2Only",
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": "*",
"Condition": {
"StringEquals": {
"ec2:MetadataHttpTokens": "required"
}
}
}]
}
- Modify a running instance metadata :
aws ec2 modify-instance-metadata-options --instance-id i-1234567898abcdef0 --http-token required
We need to enforce this best practice if possible by design using AWS Organization SCP.
Here a first try for a policy to Enforce EC2 Metadata Token :
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "EnforceEC2metadataTOKEN",
"Effect": "Deny",
"Action": "ec2:RunInstances",
"Resource": [
"*"
],
"Condition": {
"StringNotEquals": {
"ec2:MetadataHttpTokens": "required"
}
}
}
]
}
Seems working for me, I need to try more when Terraform or CDK will implement the feature to completely validate:
- https://github.com/aws/aws-cdk/issues/5137
- https://github.com/terraform-providers/terraform-provider-aws/issues/10949
@ejcx_ wrote an article about this feature with a incomplete satisfaction, here why with explanation: https://ejj.io/blog/fixing-capital-one
Top comments (0)