Re: Hardening access to metadata in OpenStack instances
On Tue, Sep 02, 2025 at 09:19:51AM -0400, Jonathan Proulx wrote:
> Restricting access to metadata would be a surprising default as other
> Distribitions and cloud platforms (AWS ) don't so there's pretty wide
> expectation that unpriveleged users can get this information.
IMDS is open to all users on AWS by default, but they do have their
session-based IMDSv2 with additional IP TTL based restrictions intended
to protect against unauthorized access over bridged or proxied
interfaces. It's possible to block access to the original non session
based interface. [1]
Microsoft is developing a Guest Proxy Agent for Azure that attempts to
provide IMDS access policy enforcement on the client side. The default
behavior of this proxy will be to block IMDS access to non-root users.
[2] (I wonder what this agent would do if deployed on OpenStack...)
So there is work being done to control IMDS access in commercial clouds.
What is the current best practice in the OpenStack community? Is there
a better interface than the iptables CLI for configuring policy-based
IMDS access? That seems like a better direction to take.
noah
1. https://aws.amazon.com/blogs/security/get-the-full-benefits-of-imdsv2-and-disable-imdsv1-across-your-aws-infrastructure/
2. https://github.com/Azure/GuestProxyAgent
Reply to: