2

I am running a Windows instance on AWS.

The instance has an IIS service running on it.

The IIS service has a user associated to it and it has no need to access the AWS instance metadata.

I was reading up on https://aws.amazon.com/answers/security/aws-securing-windows-instances/

Centrally manage Windows Firewall settings with Group Policy Objects (GPO) to further enhance network controls. Customers often use the Windows Firewall for further visibility into network traffic and to complement security group filters, creating advanced rules to block specific applications from accessing the network or to filter traffic from a subset IP addresses. For example, the Windows Firewall can limit access to the EC2 metadata service IP address to specific whitelisted users or applications. Alternatively, a public-facing service might use security groups to restrict traffic to specific ports and the Windows Firewall to maintain a blacklist of explicitly blocked IP addresses.

The part in Bold got me curious in scenario where SSRF is used.

  • Can you restrict access to the AWS metadata just for the IIS service or the service user without impacting the service availability?
  • How would the configuration look like?
Raimonds Liepiņš
  • 994
  • 5
  • 9
  • @R1W Yes, that's exactly correct. If you know a bit about AWS, you can access http://169.254.169.254 to get Metadata about the instance, which can also include the keys. If they keys are incorrectly configured with IAM it can lead to potentially bad stuff. However this question is no longer relevant, since they actually updated the Metadata API to require a security token https://aws.amazon.com/blogs/security/defense-in-depth-open-firewalls-reverse-proxies-ssrf-vulnerabilities-ec2-instance-metadata-service/. – Raimonds Liepiņš Jan 02 '20 at 06:33

2 Answers2

1

Indeed, if you want to restrict access to the instance metadata service -- so that only a specific list of users can query it, you need to have an OS-level control instead of a network-level control.

The reason is simple, users are an OS concept, and packets from different users on a OS reaching out to the instance metadata service would look indistinguishable from each other at the network level.

This documentation from AWS, specify an identical use-case as yours, where they limit access to the instance metadata only to the root user (using PF on BSD). https://docs.aws.amazon.com/AWSEC2/latest/UserGuide//instancedata-data-retrieval.html#w328aac17c17c25c15c19b1

I'm no expert, but I guess Windows Firewall will perform the same functionality -- where network traffic to the Instance Metadata IP can be denied to your IIS user. You couldn't do this with security groups or NACLs, simply because you'll block the entire meta-data service from all users (including all your agents on the server).

keithRozario
  • 3,571
  • 2
  • 12
  • 24
0

This question is no longer relevant for me since AWS updated access to their Metadata api to acquire a token first and than add that to a header, reducing the usefulness for a potential SSRF. This still keeps the SSRF as a threat in scenarios where for example advanced web hooks are used.

REF: https://aws.amazon.com/blogs/security/defense-in-depth-open-firewalls-reverse-proxies-ssrf-vulnerabilities-ec2-instance-metadata-service/

Raimonds Liepiņš
  • 994
  • 5
  • 9