1

How to prevent/firewall calls to AWS EC2 Instance Metadata API?

view story
linux-howto

http://serverfault.com – The AWS EC2 Instance Metadata API provides a lot of useful functionality. Anyone on the actual EC2 instance can make a call to http://169.254.169.254/ and see metadata for the instance the call was made from. The security of the API is such that it only checks that the call originates from the instance. Therefore, if I am allowing someone to run code on my instance I would like to know how to best block access to that particular url while retaining access myself. As a highlight, I was surprised to find that the Metadata API can be also accessed via http://instance-data/ (which I found by acc (HowTos)