AWS has a feature called Instance Metadata, which on EC2 gives you access to the AWS credentials through HTTP calls:
The feature itself is intentional, thus technically not a vulnerability. The risk is also stated in the documentation:
If you use services that use instance metadata with IAM roles, ensure that you don’t expose your credentials when the services make HTTP calls on your behalf. The types of services that could expose your credentials include HTTP proxies, HTML/CSS validator services, and XML processors that support XML inclusion.
As long as an application cannot be tricked by an attacker to make such a request and to output the response, it is certainly a convenient feature. Unfortunately, it is a common source of attacks.
Of course, a server should properly verify all URLs before, but in the spirit of defense in depth, I wonder if it is possible to disable it, or maybe allow it only during startup (before opening any ports).
- Is it technically possible to disable the feature? In other words, how can I ensure that requests to
- If it is technically possible, are there any drawbacks in blocking it?
- Is there a way to still have access to the safe parts of the API, but not to the critical ones? Maybe by whitelisting specific paths? For example, I see the point of allowing
/meta-data/spot/instance-action, which tells you whether your EC2 spot instance has been scheduled for termination.