GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → stefansundin → ec2-metadata-filter

stefansundin / ec2-metadata-filter

Licence: MIT license
Enhance the security of the EC2 metadata service. (Obsolete thanks to Instance Metadata Service Version 2, see note in README)

Programming Languages

go
31211 projects - #10 most used programming language

Labels

ec2debian-packagesaws-ec2security-hardeningec2-instance-metadata

Projects that are alternatives of or similar to ec2-metadata-filter

Spark Jupyter Aws
A guide on how to set up Jupyter with Pyspark painlessly on AWS EC2 clusters, with S3 I/O support
Stars: ✭ 259 (+709.38%)
Mutual labels:  ec2, aws-ec2
ecs-autoscale
A framework that runs on AWS Lambda for autoscaling ECS clusters and services
Stars: ✭ 69 (+115.63%)
Mutual labels:  ec2, aws-ec2
amazon-cloudwatch-auto-alarms
Automatically create and configure Amazon CloudWatch alarms for EC2 instances, RDS, and AWS Lambda using tags for standard and custom CloudWatch Metrics.
Stars: ✭ 52 (+62.5%)
Mutual labels:  ec2, aws-ec2
hammertime
AWS EC2, ASG, RDS Power cycling
Stars: ✭ 12 (-62.5%)
Mutual labels:  ec2, aws-ec2
Aws.ec2
AWS EC2 Client Package
Stars: ✭ 47 (+46.88%)
Mutual labels:  ec2, aws-ec2
Amazon Ec2 Instance Selector
A CLI tool and go library which recommends instance types based on resource criteria like vcpus and memory
Stars: ✭ 146 (+356.25%)
Mutual labels:  ec2, aws-ec2
stork
Retrieve tokens from Vault for your EC2 instances.
Stars: ✭ 12 (-62.5%)
Mutual labels:  ec2, ec2-instance-metadata
terraform-ecs
Terraform ECS module
Stars: ✭ 15 (-53.12%)
Mutual labels:  ec2
nerfball
Want to see how something like Internet Chemotherapy works without bricking your own vms? This is a jail to reduce the python runtime from doing bad things on the host when running untrusted code. Nerf what you do not need 👾 + 🐛 ⚽ 🏈 🐳
Stars: ✭ 19 (-40.62%)
Mutual labels:  security-hardening
AmbulanceLocator
Ambulance Locator lets the user find nearby ambulances and as well as call the nearby ambulances.
Stars: ✭ 15 (-53.12%)
Mutual labels:  aws-ec2
ansible-role-win-ec2
Ansible role to create and destroy Windows instances on EC2
Stars: ✭ 13 (-59.37%)
Mutual labels:  ec2
Windows-2012-Member-Server-STIG
Ansible role for the Windows 2012 Member Server STIG
Stars: ✭ 12 (-62.5%)
Mutual labels:  security-hardening
aws-tag-sched-ops
Retired, please see https://github.com/sqlxpert/lights-off-aws
Stars: ✭ 24 (-25%)
Mutual labels:  ec2
raspberrypi-rstudio
RStudio for Raspberry Pi - Docker Build and Runtime Environment
Stars: ✭ 57 (+78.13%)
Mutual labels:  debian-packages
Amazon
Simple access to Amazon's web services.
Stars: ✭ 20 (-37.5%)
Mutual labels:  ec2
serverless-vpc-discovery
Serverless plugin for discovering VPC / Subnet / Security Group configuration by name.
Stars: ✭ 35 (+9.38%)
Mutual labels:  ec2
fluent-plugin-ec2-metadata
Fluentd output plugin to add Amazon EC2 metadata into messages
Stars: ✭ 43 (+34.38%)
Mutual labels:  ec2
vault-ec2auth
A simple agent to authenticate an AWS EC2 instance against Hashicorp Vault
Stars: ✭ 12 (-62.5%)
Mutual labels:  ec2
T-Watch
Real Time Twitter Sentiment Analysis Product
Stars: ✭ 20 (-37.5%)
Mutual labels:  aws-ec2
aws-power-toggle
web UI and API for quickly starting and stopping AWS environments
Stars: ✭ 40 (+25%)
Mutual labels:  aws-ec2
View All Similar Projects ➔

Update November 2019

AWS has now released Instance Metadata Service Version 2 (IMDSv2) which basically solves this problem and makes ec2-metadata-filter obsolete. This is opt-in, so make sure you enable this by setting HttpTokens to required. For more information, see this documentation page. The SEC310 reInvent session is also helpful.

ec2-metadata-filter

This is a small program that you can install on EC2 instances in order to enhance the security of the EC2 metadata service.

The metadata service is used to provide temporary security credentials to the IAM role associated with an EC2 instance (among other things). The service does not did not have any security protections built-in, and you can find numerous examples online that show how this can be exploited.

Google Compute Engine, on the other hand, requires a special header to be present (Metadata-Flavor: Google). This might seems like a small thing, but it is extremely effective. Here is a good comparison of how the different cloud metadata services behave.

There is a Netflix blog post on the subject, and it appears that they are working with AWS to add protections based on the User-Agent header instead (the details of how and when this will be available for everyone is unclear). The benefit of checking the User-Agent header is that all SDKs should continue to just work (if you use curl or other libraries then you will have to update your code). I decided to support this behavior since it greatly simplifies rollout of this program since some applications will not require any modification at all.

The program acts as a reverse proxy, and relies on an iptables rule to redirect all traffic destined for 169.254.169.254 through this proxy. The program blocks any request with a User-Agent that does not start with one of the following prefixes:

aws-chalice/
aws-cli/
aws-sdk-
Boto3/
Botocore/
Cloud-Init/

In addition to whitelisting User-Agent prefixes, the program also allows requests that send the header Metadata-Flavor: Amazon. This can be easily added to programs such as curl.

Like GCE, the program blocks requests containing a X-Forwarded-For header.

Related:

Install

The reverse proxy runs on port 16925 by default (you can use the PORT environment variable to change this), and listens only on the loopback interface.

There is a PPA available:

sudo add-apt-repository ppa:stefansundin/ec2-metadata-filter
sudo apt-get update
sudo apt-get install ec2-metadata-filter

The debian package will install the program, create the user (explained below), and add a systemd service (that is started automatically). But it will not set up the iptables rule for you.

Run journalctl -u ec2-metadata-filter.service to see logs from the service.

iptables rule

This creates a new user whose only purpose is to run the reverse proxy. Requests to 169.254.169.254 from any other user will be redirected to the proxy.

First create the user:

$ sudo adduser --system --no-create-home --home /nonexistent ec2-metadata

You could in theory use root, but that is a bad idea if security bugs are found in this program, and it would also exempt root from this protection.

You can safely ignore the warning that says: Warning: The home dir /nonexistent you specified can't be accessed: No such file or directory

Then create the iptables rule:

$ sudo iptables -t nat -A OUTPUT -d 169.254.169.254 -p tcp -m owner \! --uid-owner ec2-metadata -j REDIRECT --to-port 16925

Then run the program as the special user:

$ sudo -u ec2-metadata ec2-metadata-filter

To persist the iptables rule, install iptables-persistent:

$ sudo apt-get install iptables-persistent

When it asks you if you want to save your IPv4 rules, select Yes. You can also run:

$ sudo netfilter-persistent save

The file /etc/iptables/rules.v4 should look something like the following:

# Generated by iptables-save v1.6.1 on Sat Feb  2 05:01:04 2019
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [6:550]
:POSTROUTING ACCEPT [6:550]
-A OUTPUT -d 169.254.169.254/32 -p tcp -m owner ! --uid-owner 113 -j REDIRECT --to-ports 16925
COMMIT
# Completed on Sat Feb  2 05:01:04 2019
# Generated by iptables-save v1.6.1 on Sat Feb  2 05:01:04 2019
*filter
:INPUT ACCEPT [101:13692]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [85:28118]
COMMIT
# Completed on Sat Feb  2 05:01:04 2019

Validate

Ensure that it is working properly!

Perform a request with the aws-cli (without any local credentials present!):

$ aws sts get-caller-identity

In the systemd logs, you should see the following:

Proxying request to /latest/meta-data/iam/security-credentials/ from User-Agent: aws-cli/1.15.71 Python/3.5.2 Linux/4.15.0-43-generic botocore/1.10.70

That means that the request was received by the program which then forwarded it after checking the User-Agent header. Now try with curl:

$ curl -i http://169.254.169.254/latest/meta-data/iam/security-credentials/
HTTP/1.1 400 Bad Request

The request was blocked, great!

Now try adding the Metadata-Flavor: Amazon header:

$ curl -i -H 'Metadata-Flavor: Amazon' http://169.254.169.254/latest/meta-data/iam/security-credentials/
HTTP/1.1 200 OK

That worked!

Troubleshooting

Print your iptables rules by running sudo iptables-save. Does it contain the nat rule to redirect traffic destined for 169.254.169.254?

If you see the error http: proxy error: context canceled, that means that the program is having problems forwarding the request to the real metadata service. Are you running on an EC2 instance?

If you see hundreds of lines that eventually end with http: proxy error: dial tcp 169.254.169.254:80: socket: too many open files, that means that the program is also affected by the iptables rule. Are you running the program as the special user?

Elastic Beanstalk issue requests to the metadata service using curl, so it will not work out of the box. This requires more research.

To undo the iptables rule, run sudo iptables -t nat -F. This will flush all rules in the nat table.

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].