Example AWS Metadata proxy to protect against attack vectors targetting AWS Credentials
AWS updated their metadata service in Nov '19 (IMDSv2). With IMDSv2 a token will be sent when requesting the metadata service, therefore the risk of an attacker requesting the metadata service through ssrf has been minimized. There is a few blogposts about implementation details (getting started with imdsv2).
Depending on your usecase and the threat model it could be reasonable to just use the IMDSV2.
Clone the repo
git clone https://github.com/Netflix-Skunkworks/aws-metadata-proxy.git
cd aws-metadata-proxy
Build the proxy
go get
go buildCreate an iptable rule that prevents talking directly to the AWS Metadata Service except for a particular user, proxy_user in the example below. This is the user you run the proxy as on your server.
/sbin/iptables -t nat -A OUTPUT -m owner ! --uid-owner proxy_user -d 169.254.169.254 -p tcp -m tcp --dport 80 -j DNAT --to-destination 127.0.0.1:9090