ECS | Manage instance configurations | Manage instance metadata

Overview of ECS instance metadata


Elastic Compute Service (ECS) instance metadata contains the information of ECS instances in Alibaba Cloud. You can view the metadata of running instances and configure or manage the instances based on their metadata.

Limits
The instance metadata feature is supported only for instances that reside in virtual private clouds (VPCs).

Instance metadata items



This topicdescribes the basic and dynamic metadata items that you can obtain from an Elastic Compute Service (ECS) instance.


View instance metadata



This topic describes the differences between instance metadata viewed in normal mode and in security hardening mode. This topic also demonstrates how to view the metadata of an Elastic Compute Service (ECS) instance.

Prerequisites
The instance resides in a virtual private cloud (VPC).
You are connected to the instance. For more information, see Guidelines on instance connection.
Background information
You can view instance metadata by using an endpoint in the http://100.100.100.200/latest/[metadata] format. Replace [metadata] with the instance metadata item. For more information, see Instance metadata items.
You can access the endpoint in normal or security hardening mode.

In normal mode, a new connection is established with each request to view instance metadata, and the connection is immediately released after the request is complete. This mode uses a simple verification method. If the instance metadata server is attacked and sensitive data such as Resource Access Management (RAM) roles leaks, your data and assets are at risk.

A server-side request forgery (SSRF) is an attack in which an attacker exploits vulnerabilities in a server to send forged resource requests to the server and access resources located within the same internal network. When a request for instance metadata is received, the instance metadata server shares the requested metadata in URLs. These URLs are vulnerable to tampering and may be used to attack internal systems that are inaccessible to external networks. In security hardening mode, instance metadata is restricted and can be viewed only by using token-based authentication. The security hardening mode provides better protection against SSRF attacks than the normal mode. In scenarios such as self-managed network firewall applications, self-managed reverse proxy applications, and self-managed web applications that provide transcoding and download services, we recommend that you view instance metadata in security hardening mode to prevent SSRF attacks and improve the security of applications.

You must specify an instance metadata access mode when you create an instance in the ECS console.
Normal Mode (Compatible with Security Hardening Mode): After the instance is created, you can view the instance metadata in normal mode or in security hardening mode.
Security Hardening Mode: After the instance is created, you can view the instance metadata only in security hardening mode.


For more information, please check the official documentation.


Related Articles

Explore More Special Offers

  1. Short Message Service(SMS) & Mail Service

    50,000 email package starts as low as USD 1.99, 120 short messages start at only USD 1.00