The AWS EC2 Instance Metadata API provides a lot of useful functionality. Anyone on the actual EC2 instance can make a call to
http://169.254.169.254/ and see metadata for the instance the call was made from. The security of the API is such that it only checks that the call originates from the instance. Therefore, if I am allowing someone to run code on my instance I would like to know how to best block access to that particular url while retaining access myself.
As a highlight, I was surprised to find that the Metadata API can be also accessed via
http://instance-data/ (which I found by accident somewhere).
I am able to inspect the urls being called by all of the code running on this instance, but I assume that this is not a good approach given IPv6 addresses (possibly), or some weird URI encodings that would resolve into the Metadata IP (169.254.169.254), or some undocumented (it seems) URLs like
Firewall it off.
iptables -A OUTPUT -m owner ! --uid-owner root -d 169.254.169.254 -j DROP
This rule prohibits any user other than the root user from opening connections to 169.254.169.254.
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.