AWS AWSEC2 medium security documentation change
Summary
Restructured documentation to emphasize IMDSv2 usage, added OS-specific sections (Linux/Windows), replaced specific role name 's3access' with generic 'role-name' placeholder, and reorganized command examples
Security assessment
The changes promote IMDSv2 token-based authentication over IMDSv1, which AWS recommends as a security best practice to mitigate vulnerabilities like metadata service exploitation. While not explicitly citing a CVE, the restructuring aligns with AWS's security guidance for instance metadata access.
Diff
diff --git a/AWSEC2/latest/UserGuide/instance-metadata-security-credentials.md b/AWSEC2/latest/UserGuide/instance-metadata-security-credentials.md index 70cdabe81..a8b9180dd 100644 --- a//AWSEC2/latest/UserGuide/instance-metadata-security-credentials.md +++ b//AWSEC2/latest/UserGuide/instance-metadata-security-credentials.md @@ -19 +19 @@ If your workload uses a role to assume itself, you must create a trust policy th -The following command retrieves the security credentials for an IAM role named `s3access`. +IMDSv2 @@ -21 +20,0 @@ The following command retrieves the security credentials for an IAM role named ` -cURL @@ -22,0 +22 @@ cURL +###### Linux @@ -24 +24 @@ cURL -**IMDSv2** +Run the following command from your Linux instance to retrieve the security credentials for an IAM role. @@ -27,2 +27,2 @@ cURL - [ec2-user ~]$ TOKEN=`curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600"` \ - && curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/iam/security-credentials/s3access + TOKEN=`curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600"` \ + && curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/iam/security-credentials/role-name @@ -30 +30 @@ cURL -**IMDSv1** +###### Windows @@ -31,0 +32 @@ cURL +Run the following cmdlet from your Windows instance to retrieve the security credentials for an IAM role. @@ -33 +33,0 @@ cURL - [ec2-user ~]$ curl http://169.254.169.254/latest/meta-data/iam/security-credentials/s3access @@ -35 +35,3 @@ cURL -PowerShell + [string]$token = Invoke-RestMethod ` + -Headers @{"X-aws-ec2-metadata-token-ttl-seconds" = "21600"} ` + -Method PUT -Uri http://169.254.169.254/latest/api/token @@ -38 +40,3 @@ PowerShell -**IMDSv2** + Invoke-RestMethod ` + -Headers @{"X-aws-ec2-metadata-token" = $token} ` + -Method GET -Uri http://169.254.169.254/latest/meta-data/iam/security-credentials/role-name @@ -39,0 +44 @@ PowerShell +IMDSv1 @@ -41 +45,0 @@ PowerShell - PS C:\> [string]$token = Invoke-RestMethod -Headers @{"X-aws-ec2-metadata-token-ttl-seconds" = "21600"} -Method PUT -Uri http://169.254.169.254/latest/api/token @@ -42,0 +47 @@ PowerShell +###### Linux @@ -44 +49 @@ PowerShell - PS C:\> Invoke-RestMethod -Headers @{"X-aws-ec2-metadata-token" = $token} -Method GET -Uri http://169.254.169.254/latest/meta-data/iam/security-credentials/s3access +Run the following command from your Linux instance to retrieve the security credentials for an IAM role. @@ -46 +50,0 @@ PowerShell -**IMDSv1** @@ -47,0 +52 @@ PowerShell + curl http://169.254.169.254/latest/meta-data/iam/security-credentials/role-name @@ -49 +54,6 @@ PowerShell - PS C:\> Invoke-RestMethod -uri http://169.254.169.254/latest/meta-data/iam/security-credentials/s3access +###### Windows + +Run the following cmdlet from your Windows instance to retrieve the security credentials for an IAM role. + + + Invoke-RestMethod -uri http://169.254.169.254/latest/meta-data/iam/security-credentials/role-name