Are there any unintended side effects of disabling the EC2 instance metadata service endpoint (both IMDSv1 & IMDSv2)?

1

In evaluating the AWS Security Hub finding for [EC2.8] EC2 instances should use IMDSv2, I am considering to turn off access to instance metadata all together. My EC2 instances don't explicitly use the metadata service. If I disable the IMDS endpoint are there any unintended consequences I should know about? Will the CloudWatch and SSM agents still work normally? Any effects on ECS EC2 hosts or EKS nodes?

AWS
VictorF
質問済み 2年前2863ビュー
1回答
4
承認された回答

I wouldn't do that - if security is a concern disabling IMDSv1 is a reasonable step; but IMDSv2 is most probably being used even though you're not explicitly calling it.

Consider that IMDS is the "place" where the instance role temporary credentials are stored. Many libraries and tools (think AWS CLI) automatically reach out to IMDS to retrieve those credentials and then use them to access AWS services in accordance with the permissions assigned by the instance role. If access to it were blocked or unavailable then all of those things would fail.

Certainly CloudWatch and SSM use IMDS so those will not work correctly (read: they will fail).

Could you get around that? Yes, but putting static credentials on the host; but the whole point of those temporary credentials is to avoid that.

There are other things available via IMDS (think current AZ, region, etc.) that could also be used silently by your existing applications so I think it unwise to disable it completely.

profile pictureAWS
エキスパート
回答済み 2年前
profile picture
エキスパート
レビュー済み 2ヶ月前

ログインしていません。 ログイン 回答を投稿する。

優れた回答とは、質問に明確に答え、建設的なフィードバックを提供し、質問者の専門分野におけるスキルの向上を促すものです。

質問に答えるためのガイドライン

関連するコンテンツ