Forem: Geoffroy RENAUD The latest articles on Forem by Geoffroy RENAUD (@geoffroyrenaud). https://forem.com/geoffroyrenaud https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F273684%2F9a08cd2a-307b-4e2c-b401-c0a89bc1bc1b.jpg Forem: Geoffroy RENAUD https://forem.com/geoffroyrenaud en AWS protect SSRF vulnerabilities with new EC2 Instance Metadata feature Geoffroy RENAUD Wed, 20 Nov 2019 21:39:50 +0000 https://forem.com/geoffroyrenaud/aws-protect-ssrf-vulnerabilities-with-new-ec2-instance-metadata-feature-2b9l https://forem.com/geoffroyrenaud/aws-protect-ssrf-vulnerabilities-with-new-ec2-instance-metadata-feature-2b9l <p>After the annonce on the AWS Security blog for protecting AWS instance from SSRF attack, we should test and implement this new security feature: <a href="https://aws.amazon.com/fr/blogs/security/defense-in-depth-open-firewalls-reverse-proxies-ssrf-vulnerabilities-ec2-instance-metadata-service/">https://aws.amazon.com/fr/blogs/security/defense-in-depth-open-firewalls-reverse-proxies-ssrf-vulnerabilities-ec2-instance-metadata-service/</a></p> <p>AWS documentation about this feature : <a href="https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html#configuring-instance-metadata-options">https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html#configuring-instance-metadata-options</a></p> <p>There is 2 methods in order to use it :</p> <ul> <li>Add a policy to your users/geoups with this example policy : </li> </ul> <div class="highlight"><pre class="highlight plaintext"><code>{ "Version": "2012-10-17", "Statement": [{ "Sid": "RunInstanceWithImdsV2Only", "Effect": "Allow", "Action": "ec2:RunInstances", "Resource": "*", "Condition": { "StringEquals": { "ec2:MetadataHttpTokens": "required" } } }] } </code></pre></div> <ul> <li>Modify a running instance metadata : </li> </ul> <p><code>aws ec2 modify-instance-metadata-options --instance-id i-1234567898abcdef0 --http-token required</code><br> </p> <p><em>We need to enforce this best practice if possible by design using AWS Organization SCP.</em></p> <p>Here a first try for a policy to Enforce EC2 Metadata Token :<br> </p> <div class="highlight"><pre class="highlight plaintext"><code>{ "Version": "2012-10-17", "Statement": [ { "Sid": "EnforceEC2metadataTOKEN", "Effect": "Deny", "Action": "ec2:RunInstances", "Resource": [ "*" ], "Condition": { "StringNotEquals": { "ec2:MetadataHttpTokens": "required" } } } ] } </code></pre></div> <p>Seems working for me, I need to try more when Terraform or CDK will implement the feature to completely validate:</p> <ul> <li><a href="https://github.com/aws/aws-cdk/issues/5137">https://github.com/aws/aws-cdk/issues/5137</a></li> <li><a href="https://github.com/terraform-providers/terraform-provider-aws/issues/10949">https://github.com/terraform-providers/terraform-provider-aws/issues/10949</a></li> </ul> <p><a href="https://twitter.com/ejcx_">@ejcx_</a> wrote an article about this feature with a incomplete satisfaction, here why with explanation: <a href="https://ejj.io/blog/fixing-capital-one">https://ejj.io/blog/fixing-capital-one</a></p> aws security ssrf