Prevent SSRF attacks by requiring token-based authentication for instance metadata access.
Security risks
In normal mode, instance metadata requests are authenticated by source IP address. An attacker can forge this address to bypass authentication, leading to SSRF attacks that expose sensitive metadata. Enhanced mode requires a time-limited access credential that is generated and valid only within the specific ECS instance. Because the credential cannot be guessed or forged, enhanced mode prevents most SSRF attacks.
Best practices
Console
On the instance purchase page, select Security Hardening Mode instead of Normal Mode and Security Hardening Mode. Only some latest public image versions support this mode.
After you enforce enhanced mode for instance metadata, update all application code that accesses metadata to use token-based authentication.
API
When calling RunInstances or CreateInstance API operation, set HttpTokens to required and HttpEndpoint to enabled to enforce security hardening mode.
Compliance capabilities
Block: Deny instance creation without security hardening mode
Use a RAM policy at the organization or account level to deny instance creation without security hardening mode.
-
For enterprise users:
-
Log on to the Resource Directory console with an Alibaba Cloud account. In the left navigation pane, click Control Policies. Create a custom policy with the following JSON content.
This policy denies instance creation or metadata mode changes that do not use security hardening mode.
{ "Version": "1", "Statement": [ { "Effect": "Deny", "Action": [ "ecs:RunInstances", "ecs:CreateInstance", "ecs:ModifyInstanceMetadataOptions" ], "Resource": "*", "Condition": { "StringEquals": { "ecs:SecurityHardeningMode": ["false"] } } } ] } -
In the resource directory, select a node and attach the policy. The policy blocks the specified operations for all accounts under that node.
-
-
For individual users:
-
Log on to the Resource Access Management (RAM) console with an Alibaba Cloud account. In the left navigation pane, click Permission Policy. Create a custom policy with the same JSON content.
-
Attach the policy to a RAM user, RAM user group, or RAM role.
-