Elastic Compute Service (ECS) - Supports Access to Instance Metadata in Security-enhanced Mode
Apr 01 2020
Elastic Compute Service (ECS)Content
Target customers: users who use instance metadata and create by themselves network firewall applications, reverse proxy applications, and web applications that provide transcoding and download services. Features released: ECS now supports access to instance metadata in security-enhanced mode to prevent data breach caused by SSRF attacks. In an SSRF attack, an attacker exploits vulnerabilities in a server to send crafted resource requests and abuse the server to access resources in the internal network where the server resides. When a request for instance metadata is received, the instance metadata server shares the requested metadata in the format of URLs. These URLs are vulnerable to tampering and may be used to attack internal systems that are not accessible to external networks. To prevent SSRF attacks, we recommend that you access instance metadata in security-enhanced mode. In security-enhanced mode, you can establish a session between an ECS instance and the instance metadata server. When you access the metadata of an instance from the instance, the instance metadata server authenticates your identity based on a token. When the token expires, the instance metadata server closes the session and deletes the token. The following limits apply to tokens: * Each token can be used for a single ECS instance. If you copy the token file of one instance to another instance, the instance metadata server will deny access from the instance that uses the token file copy. * Each token must have a defined validity period ranging from 1 to 21,600 seconds (six hours). Tokens can be repeatedly used until they expire. This helps achieve a good balance between security and user experience. * Proxy access is not supported. If a token creation request contains the X-Forwarded-For header, the instance metadata server will refuse to issue the token. * An unlimited number of tokens can be issued to each ECS instance.