Are there any unintended side effects of disabling the EC2 instance metadata service endpoint (both IMDSv1 & IMDSv2)?

1

In evaluating the AWS Security Hub finding for [EC2.8] EC2 instances should use IMDSv2, I am considering to turn off access to instance metadata all together. My EC2 instances don't explicitly use the metadata service. If I disable the IMDS endpoint are there any unintended consequences I should know about? Will the CloudWatch and SSM agents still work normally? Any effects on ECS EC2 hosts or EKS nodes?

AWS
VictorF
已提問 2 年前檢視次數 2863 次
1 個回答
4
已接受的答案

I wouldn't do that - if security is a concern disabling IMDSv1 is a reasonable step; but IMDSv2 is most probably being used even though you're not explicitly calling it.

Consider that IMDS is the "place" where the instance role temporary credentials are stored. Many libraries and tools (think AWS CLI) automatically reach out to IMDS to retrieve those credentials and then use them to access AWS services in accordance with the permissions assigned by the instance role. If access to it were blocked or unavailable then all of those things would fail.

Certainly CloudWatch and SSM use IMDS so those will not work correctly (read: they will fail).

Could you get around that? Yes, but putting static credentials on the host; but the whole point of those temporary credentials is to avoid that.

There are other things available via IMDS (think current AZ, region, etc.) that could also be used silently by your existing applications so I think it unwise to disable it completely.

profile pictureAWS
專家
已回答 2 年前
profile picture
專家
已審閱 2 個月前

您尚未登入。 登入 去張貼答案。

一個好的回答可以清楚地回答問題並提供建設性的意見回饋,同時有助於提問者的專業成長。

回答問題指南