DEV Community

Geoffroy RENAUD
Geoffroy RENAUD

Posted on

AWS protect SSRF vulnerabilities with new EC2 Instance Metadata feature

After the annonce on the AWS Security blog for protecting AWS instance from SSRF attack, we should test and implement this new security feature: https://aws.amazon.com/fr/blogs/security/defense-in-depth-open-firewalls-reverse-proxies-ssrf-vulnerabilities-ec2-instance-metadata-service/

AWS documentation about this feature : https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html#configuring-instance-metadata-options

There is 2 methods in order to use it :

  • Add a policy to your users/geoups with this example policy :
{
    "Version": "2012-10-17",
    "Statement": [{
        "Sid": "RunInstanceWithImdsV2Only",
        "Effect": "Allow",
        "Action": "ec2:RunInstances",
        "Resource": "*",
        "Condition": {
            "StringEquals": {
                "ec2:MetadataHttpTokens": "required"
            }
        }
    }]
}
  • Modify a running instance metadata :

aws ec2 modify-instance-metadata-options --instance-id i-1234567898abcdef0 --http-token required

We need to enforce this best practice if possible by design using AWS Organization SCP.

Here a first try for a policy to Enforce EC2 Metadata Token :

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "EnforceEC2metadataTOKEN",
            "Effect": "Deny",
            "Action": "ec2:RunInstances",
            "Resource": [
                "*"
            ],
            "Condition": {
                "StringNotEquals": {
                    "ec2:MetadataHttpTokens": "required"
                }
            }
        }
    ]
}

Seems working for me, I need to try more when Terraform or CDK will implement the feature to completely validate:

@ejcx_ wrote an article about this feature with a incomplete satisfaction, here why with explanation: https://ejj.io/blog/fixing-capital-one

Discussion (0)