Locked and Loaded: Fortifying AWS EC2 Security with an Ironclad Metadata Block

Soham Dutta
2 min readAug 3, 2023

Hey there, fellow cloud enthusiasts! Today, we’re diving into the wild world of AWS EC2 instances and the sneaky metadata URL that comes with them. Now, don’t get me wrong; this metadata stuff is handy dandy! It gives you all sorts of juicy details about your EC2 instance — availability zone, AMI, and more.

But wait! Danger lurks in the shadows! This seemingly innocent metadata URL can reveal some seriously sensitive stuff. I’m talking about IP addresses, IAM credentials, and other goodies that could make hackers drool! Yikes!

Now, if you’re using an IAM role (and you probably are), those credentials — although they rotate — are accessed through that metadata URI. It’s like giving your precious keys to a total stranger! Not cool!

But fear not, my security-savvy friends! There’s a way to lock down that metadata URI and keep your secrets safe. So, I put on my tech detective hat and started tinkering with RedHat/CentOS-based systems to make it happen.

Step 1: Blocking the Metadata URI I conjured up a nifty little “unreachable” route for that sneaky IP address, 169.254.169.254. It’s like building an impenetrable fortress around your castle! No more outsiders allowed!

For the command line wizards out there, it goes something like this:

[root]# cat /etc/sysconfig/network-scripts/route-eth0
unreachable 169.254.169.254/32 metric 999
[root]# systemctl restart network

Or, if you’re chilling with NetworkManager:

[root]# ls -l /etc/NetworkManager/dispatcher.d/50-blackhole
-rwxr-xr-x. 1 root root 80 Aug 9 10:27 /etc/NetworkManager/dispatcher.d/50-blackhole
[root]# cat /etc/NetworkManager/dispatcher.d/50-blackhole
#!/bin/sh
ip route add unreachable 169.254.169.254/32 metric 999
exit 0 ;#ignore dup error
[root]# nmcli conn up eth0

Step 2: The Acid Test Now comes the moment of truth! Let’s see if our crafty blocking worked:

[root]# ip route show 169.254.169.254
unreachable 169.254.169.254 metric 999
[root]# curl http://169.254.169.254/latest/meta-data
curl: (7) Failed to connect to 169.254.169.254: No route to host

Bam! Victory dance! The metadata URI is now like Fort Knox — no entry allowed!

Wrapping Up: So there you have it, my fellow cloud warriors! We’ve tamed the ferocious metadata URL and protected our precious EC2 instances from potential attacks. Remember, IAM roles are cool cats, but don’t overdo the privileges! Keep them on a tight leash and review those permissions regularly.

With a little tech know-how and some security smarts, you can conquer the cloud and keep the bad guys at bay. Until next time, happy cloud computing and stay safe out there! 🌩️🛡️

--

--