KHV053 - AWS Metadata Exposure

Issue description

AWS EC2 provides an internal HTTP endpoint that exposes information from the cloud platform to workloads running in an instance. The endpoint is accessible to every workload running in the instance. An attacker that is able to execute a pod in the cluster may be able to query the metadata service and discover additional information about the environment.

Remediation

• Limit access to the instance metadata service. Consider using a local firewall such as iptables to disable access from some or all processes/users to the instance metadata service.

• Disable the metadata service (via instance metadata options or IAM), or at a minimum enforce the use IMDSv2 on an instance to require token-based access to the service.

• Modify the HTTP PUT response hop limit on the instance to 1. This will only allow access to the service from the instance itself rather than from within a pod.

References

• AWS Instance Metadata service
• EC2 Instance Profiles