Re: F39 proposal: Register EC2 Cloud Images with IMDSv2-only AMI flag (Self-Contained Change proposal)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

> https://fedoraproject.org/wiki/Changes/CloudEC2IMDSv2Only
> 
> This document represents a proposed Change. As part of the Changes
> process, proposals are publicly announced in order to receive
> community feedback. This proposal will only be implemented if approved
> by the Fedora Engineering Steering Committee.
> 
> 
> == Summary ==
> In November 2019, AWS launched IMDSv2 (Instance Meta-Data Store
> version 2 - see
> https://aws.amazon.com/blogs/security/defense-in-depth-open-firewalls-reverse-proxies-ssrf-vulnerabilities-ec2-instance-metadata-service/
> ) which provides "belt and suspenders" protections for four types of
> vulnerabilities that could be used to try to access the Instance
> Meta-Data Store available to EC2 instances. In that announcement, AWS
> recommended adopting IMDSv2 and restricting access to IMDSv2 only for
> added security. This can be done at instance launch time, or
> ([https://aws.amazon.com/about-aws/whats-new/2022/10/amazon-machine-images-support-instance-metadata-service-version-2-default/
> more recently in October 2022]) by providing a flag when registering
> an AMI to indicate that the AMI should by default launch with IMDSv1
> disabled, and thus require IMDSv2.
> 
> By enabling this flag for Fedora, we provide a better security posture
> for Fedora users running in EC2.
> 
> When an AMI is registered for IMDSv2 it is still possible to launch
> instances with IMDSv1 enabled by providing the right option to the
> RunInstances EC2 API call. The flag merely switches the default.

So, do we then need to update the client we use to upload images? 
Or is this something that could be set on the account side to say
"enable this flag by default"?

kevin

Attachment: signature.asc
Description: PGP signature

_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux