Recently I found few alternative ways to access EC2 metadata, during my studies for AWS Security Specialty exam.
Using http://169.254.169.254/latest/meta-data/
This is the most popular way to access the metadata from an EC2 instance.
Using http://instance-data/latest/meta-data/
But did you know, you can use "instance-data" instead of 169.254.169.254 IP address, and use it to access same information?
Using ec2-metadata command
If you have logged in as ec2-user, you can run "ec2-metadata" command to access the same set of data. This command has lots of options to filter the information you need. If you have logged in as another user, you will have to add "/opt/aws/bin" to your path, or use full path (/opt/aws/bin/ec2-metadata) to run the command.
You can find lots of such cli tool to access aws services in /opt/aws/bin/ . (My test was done in a Amazon Linux AMI).
Securing access to this service is important, as it allow anyone to get temporary credentials to AWS role assigned to EC2 instance. We have seen the name of this service appears in many security incidents happen in AWS infrastructure.
Possible mitigation on SSRF attacks on metadata service
Netflix security team has created a good solution, "a metadata proxy", to mitigate compromise of AWS credentials through metadata service by SSRF attacks. You can find the details here https://github.com/Netflix-Skunkworks/aws-metadata-proxy Nice thing about this tool is, it is transparent to existing services and users who access AWS metadata URLs.
If you can direct the log output of the proxy to a CloudWatch group, Then you will be able to create alerts to detect malicious attempts on accessing metadata URL.
("ec2-metadata" command line tool calls the above URLs via curl.)
UPDATE (19-NOV-2019):
Finally AWS has added some changes to mitigate the abuse of metadata service by attackers. See https://aws.amazon.com/blogs/security/defense-in-depth-open-firewalls-reverse-proxies-ssrf-vulnerabilities-ec2-instance-metadata-service/
Using http://169.254.169.254/latest/meta-data/
This is the most popular way to access the metadata from an EC2 instance.
Using http://instance-data/latest/meta-data/
But did you know, you can use "instance-data" instead of 169.254.169.254 IP address, and use it to access same information?
Using ec2-metadata command
If you have logged in as ec2-user, you can run "ec2-metadata" command to access the same set of data. This command has lots of options to filter the information you need. If you have logged in as another user, you will have to add "/opt/aws/bin" to your path, or use full path (/opt/aws/bin/ec2-metadata) to run the command.
You can find lots of such cli tool to access aws services in /opt/aws/bin/ . (My test was done in a Amazon Linux AMI).
Securing access to this service is important, as it allow anyone to get temporary credentials to AWS role assigned to EC2 instance. We have seen the name of this service appears in many security incidents happen in AWS infrastructure.
Possible mitigation on SSRF attacks on metadata service
Netflix security team has created a good solution, "a metadata proxy", to mitigate compromise of AWS credentials through metadata service by SSRF attacks. You can find the details here https://github.com/Netflix-Skunkworks/aws-metadata-proxy Nice thing about this tool is, it is transparent to existing services and users who access AWS metadata URLs.
If you can direct the log output of the proxy to a CloudWatch group, Then you will be able to create alerts to detect malicious attempts on accessing metadata URL.
("ec2-metadata" command line tool calls the above URLs via curl.)
UPDATE (19-NOV-2019):
Finally AWS has added some changes to mitigate the abuse of metadata service by attackers. See https://aws.amazon.com/blogs/security/defense-in-depth-open-firewalls-reverse-proxies-ssrf-vulnerabilities-ec2-instance-metadata-service/
No comments:
Post a Comment