Are there any unintended side effects of disabling the EC2 instance metadata service endpoint (both IMDSv1 & IMDSv2)?
In evaluating the AWS Security Hub finding for [EC2.8] EC2 instances should use IMDSv2, I am considering to turn off access to instance metadata all together. My EC2 instances don't explicitly use the metadata service. If I disable the IMDS endpoint are there any unintended consequences I should know about? Will the CloudWatch and SSM agents still work normally? Any effects on ECS EC2 hosts or EKS nodes?
- 最新
- 投票最多
- 评论最多
I wouldn't do that - if security is a concern disabling IMDSv1 is a reasonable step; but IMDSv2 is most probably being used even though you're not explicitly calling it.
Consider that IMDS is the "place" where the instance role temporary credentials are stored. Many libraries and tools (think AWS CLI) automatically reach out to IMDS to retrieve those credentials and then use them to access AWS services in accordance with the permissions assigned by the instance role. If access to it were blocked or unavailable then all of those things would fail.
Certainly CloudWatch and SSM use IMDS so those will not work correctly (read: they will fail).
Could you get around that? Yes, but putting static credentials on the host; but the whole point of those temporary credentials is to avoid that.
There are other things available via IMDS (think current AZ, region, etc.) that could also be used silently by your existing applications so I think it unwise to disable it completely.
