F39 proposal: Register EC2 Cloud Images with IMDSv2-only AMI flag (Self-Contained Change proposal)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



https://fedoraproject.org/wiki/Changes/CloudEC2IMDSv2Only

This document represents a proposed Change. As part of the Changes
process, proposals are publicly announced in order to receive
community feedback. This proposal will only be implemented if approved
by the Fedora Engineering Steering Committee.


== Summary ==
In November 2019, AWS launched IMDSv2 (Instance Meta-Data Store
version 2 - see
https://aws.amazon.com/blogs/security/defense-in-depth-open-firewalls-reverse-proxies-ssrf-vulnerabilities-ec2-instance-metadata-service/
) which provides "belt and suspenders" protections for four types of
vulnerabilities that could be used to try to access the Instance
Meta-Data Store available to EC2 instances. In that announcement, AWS
recommended adopting IMDSv2 and restricting access to IMDSv2 only for
added security. This can be done at instance launch time, or
([https://aws.amazon.com/about-aws/whats-new/2022/10/amazon-machine-images-support-instance-metadata-service-version-2-default/
more recently in October 2022]) by providing a flag when registering
an AMI to indicate that the AMI should by default launch with IMDSv1
disabled, and thus require IMDSv2.

By enabling this flag for Fedora, we provide a better security posture
for Fedora users running in EC2.

When an AMI is registered for IMDSv2 it is still possible to launch
instances with IMDSv1 enabled by providing the right option to the
RunInstances EC2 API call. The flag merely switches the default.

== Owner ==
* Name: [[User:Trawets| Stewart Smith]] [[User:Davdunc| David Duncan]]
* Email: trawets@xxxxxxxxxx


== Detailed Description ==
Attached locally to every EC2 instance, the Instance Meta-Data Service
runs on a special "link local" IP address of 169.254.169.254 that
means only software running on the instance can access it. For
applications with access to IMDS, it makes available metadata about
the instance, its network, and its storage. The IMDS also makes the
AWS credentials available for any IAM role that is attached to the
instance.

IMDS is the primary data source for `cloud-init` on EC2, and various
other utilities will also access it.

The [https://aws.amazon.com/blogs/security/defense-in-depth-open-firewalls-reverse-proxies-ssrf-vulnerabilities-ec2-instance-metadata-service/
 IMDSv2 announcement] gives more details as to the "belt and
suspenders" protections it brings for four types of vulnerabilities
that could be used to try to access the IMDS.

By default, registering and then launching an AMI will launch an EC2
instance where both IMDSv1 and IMDSv2 is enabled. A recent addition to
the EC2 API is the ability to register an AMI with a flag that
indicates that the default behavior when launching an instance should
be to have IMDSv2 enabled, and disable IMDSv1.

The proposal is to (starting with Fedora 39),
[https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-IMDS-new-instances.html#configure-IMDS-new-instances-ami-configuration
register EC2 AMIs with this flag set as documented in the EC2 User
Guide].

== Feedback ==
While Amazon Linux 2023 (then called AL2022) was in Tech Preview, its
AMIs have been registered with this flag the
[https://aws.amazon.com/about-aws/whats-new/2022/10/amazon-machine-images-support-instance-metadata-service-version-2-default/
flag was announced in October 2022].

During this time, we have not received any negative feedback about
this change. The only user of IMDSv1 calls that we have so far had to
migrate to IMDSv2 calls has been some internal test cases run by a
service team.

== Benefit to Fedora ==
This change will provide Fedora users on EC2 with an enhanced security
posture by default.

== Scope ==
* Proposal owners:
Modify AMI registration to include the flag. No other technical work
is required.

* Other developers:
Any remaining code that talks to IMDS that does not use IMDSv2 will
need to be adapted to continue to work by default.

* Release engineering:
* Policies and guidelines: N/A (not needed for this Change)
* Trademark approval: N/A (not needed for this Change)
* Alignment with Objectives:


== Upgrade/compatibility impact ==

No impact for existing EC2 Instances. The AMI flag only affects new
instance launches.

== How To Test ==
Testing will not change from any regular Fedora EC2 AMI. The only
additional check will need to be that the parameter is set correctly.


== User Experience ==
This change should be transparent to users.

== Dependencies ==
No dependencies.

== Contingency Plan ==
* Contingency mechanism: (What to do?  Who will do it?) N/A
* Contingency deadline: N/A
* Blocks release? N/A (not a System Wide Change)


== Documentation ==
N/A (not a System Wide Change)

== Release Notes ==



-- 
Ben Cotton
He / Him / His
Fedora Program Manager
Red Hat
TZ=America/Indiana/Indianapolis
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux