Restrict the use of host networking and block access to instance metadata service

The EC2 Instance Metadata Service (IMDS) is accessible to all EC2 instances by default. This service provides useful introspection facilities, such as determining a node’s availability zone, instance ID, and so forth. In addition, IMDS provides access to IAM credentials that allow applications to assume the instance’s IAM role.

By default, every EC2 node in an EKS cluster is provided certain privileges necessary to bootstrap itself and assign IP addresses to pods. For example, a node can attach a VPC network interface and discover information about the EKS cluster it attaches to. While these privileges are required for the node to operate effectively, it is not usually desirable that the pods running on the node inherit these privileges.

One way to block pod IMDS access is to apply a network policy, enforced by the Amazon VPC CNI or an add-on such as Calico, to ensure pods are unable to reach the Instance Metadata Service. To do this, configure your network policy to block egress traffic to 169.254.0.0/16.

Another way to block pod IMDS access is to require IMDS version 2 (IMDSv2) to be used, and to set the maximum hop count to 1. Configuring IMDS this way will cause requests to IMDS from pods to be rejected, provided those pods do not use host networking.

Additionally, AWS recommends forbidding untrusted pods from using host networking.

Admission controllers, discussed in Use admission controllers to enforce security policies, can help enforce this prohibition.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Restrict mounting host filesystems

Restrict creation of services with external IP addresses