Blocking instance metadata and ecs task metadata endpoint

[joshpollara]

Hello, I'm interested in blocking containers from gaining access to the ec2 instance metadata endpoint and the ecs task metadata endpoint. I am able to restrict access with iptables through the admin container but it's not clear to me how to automate this process. Is this something a bootstrap container should be doing? Looking for some direction. Thank you.

[etungsten]

Hi @joshpollara, you’re correct that a bootstrap container is probably the best way to set that up. Bootstrap containers are guaranteed to run before any orchestrated containerized workload. I would recommend creating iptables rules that restrict access to the metadata endpoints to just the root user because there are other Bottlerocket services that are dependent on instance metadata for properly configuring the host. (e.g. for IMDS, iptables -A OUTPUT -m owner ! --uid-owner root -d 169.254.169.254 -j DROP)

More information about bootstrap containers and on how to use them can be found here.

For IMDS, another alternative is to enforce IMDSv2 and restrict the metadata response hop limit to 1 (should be the default) in the instance launch options, so containers are effectively blocked off from IMDS but not the host itself (see here). You can modify existing hosts with the aws ec2 modify-instance-metadata-options command. Do note that this is only for IMDS, for the ECS task metadata endpoint you would most likely still need to use a bootstrap container to restrict access via iptables rules.

Please let us know if you need any further help!

[joshpollara]

@etungsten thank you! very helpful