1 Answer
- Newest
- Most votes
- Most comments
0
Finally figured it out. There are iptables rules on parallel-cluster
$ sudo iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N PARALLELCLUSTER_IMDS
-A OUTPUT -d 169.254.169.254/32 -j PARALLELCLUSTER_IMDS
-A OUTPUT -d 169.254.169.254/32 -m owner --uid-owner 129 -j ACCEPT
-A PARALLELCLUSTER_IMDS -d 169.254.169.254/32 -m owner --uid-owner 0 -j ACCEPT
-A PARALLELCLUSTER_IMDS -d 169.254.169.254/32 -m owner --uid-owner 400 -j ACCEPT
-A PARALLELCLUSTER_IMDS -d 169.254.169.254/32 -m owner --uid-owner 1000 -j ACCEPT
-A PARALLELCLUSTER_IMDS -d 169.254.169.254/32 -j REJECT --reject-with icmp-port-unreachable
This blocks the ec2-instance-connect user from accessing the meta-data
answered 2 years ago
Relevant content
- Accepted Answerasked a year ago
- Accepted Answerasked 2 years ago
- asked 2 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 10 months ago
- AWS OFFICIALUpdated 6 months ago
- AWS OFFICIALUpdated 6 months ago