Amazon is adding a new security feature to its AWS cloud platform that’s designed to help prevent attacks on some of the more common vulnerabilities on EC2 instances, including SSRF and misconfigured web application firewalls.
One of the security protections that AWS has had for many years is a feature called the Instance Metadata Service (IMDS), which allows customers to use temporary credentials to access their EC2 instances. This eliminates any need for customers to distribute valuable credentials to each instance individually. Those temporary credentials are rotated on a regular basis and they’re made available to any identity and access management role associated with a particular instance.
The IMDS feature works well in that context, but there are a handful of fairly common vulnerabilities and attack vectors that AWS security analysts decided needed further mitigations. In IMDSv2, which AWS has enabled by default for all customers, the company is providing per-session authentication for every EC2 instance through the use of a secret token that functions as a password.
“A session begins and ends a series of requests that software running on an EC2 instance uses to access the locally-stored EC2 instance metadata and credentials. The software starts a session with a simple HTTP PUT request to IMDSv2. IMDSv2 returns a secret token to the software running on the EC2 instance, which will use the token as a password to make requests to IMDSv2 for metadata and credentials. Unlike traditional passwords, you don’t need to worry about getting the token to the software, because the software gets it for itself with the PUT request,” Colm MacCarthaigh, and engineer at AWS, wrote in a post on the new feature.
“The token is never stored by IMDSv2 and can never be retrieved by subsequent calls, so a session and its token are effectively destroyed when the process using the token terminates.”
The new feature is specifically meant to provide protection against some commonly used attack vectors on cloud platforms, including server side request forgery (SSRF). That attack enables adversaries to abuse web apps to make requests to or modify internal resources. SSRF attacks are quite common and IMDSv2 is designed to prevent them through the use of both the HTTP PUT request to start sessions and the secret token.
"You don’t need to worry about getting the token to the software, because the software gets it for itself with the PUT request."
“SSRF vulnerabilities vary in their severity, and some are immune to other types of mitigations. For instance, blocking SSRFs through static headers in instance metadata requests is effective only when the vulnerability merely allows the attacker to control the URL that is being requested; however, AWS analysis found many SSRF vulnerabilities that allow attackers to set arbitrary headers because the SSRF vulnerability impacts the application’s own header processing,” MacCarthaigh said.
“IMDSv2’s combination of beginning a session with a PUT request, and then requiring the secret session token in other requests, is always strictly more effective than requiring only a static header. AWS analysis of real-world vulnerabilities found that this combination protects against the vast majority of SSRF vulnerabilities.”
IMDSv2’s use of PUT requests to begin sessions is also one of the methods AWS is using to protect against misconfigured WAFs that can allow access to EC2 instances. Open WAFs typically will simply pass on the requests they get to the target application, along with any headers that come with the requests. That can be dangerous, so AWS’s approach involves using PUT requests, which most open WAFs don’t support.
“Our analysis of third-party WAF products and open WAF misconfigurations found that the vast majority do not permit HTTP PUT requests. We’re using this PUT request to provide a new layer of defense that goes beyond any existing capabilities – we’ve architected the IMDSv2 service to require a PUT request at the beginning of a session, which will prevent open WAFs from being abused to access the IMDS in the vast majority of cases,” MacCarthaigh said.
The addition of IMDSv2 also helps protect against open reverse proxies and layer 3 firewalls and other NAT devices.