Restrict the use of host networking and block access to instance metadata service - Security Practices for Multi-Tenant SaaS Applications using Amazon EKS

Restrict the use of host networking and block access to instance metadata service

The EC2 Instance Metadata Service (IMDS) is accessible to all EC2 instances by default. This service provides useful introspection facilities, such as determining a node’s availability zone, instance ID, and so forth. In addition, IMDS provides access to IAM credentials that allow applications to assume the instance’s IAM role.

By default, every EC2 node in an EKS cluster is provided certain privileges necessary to bootstrap itself and assign IP addresses to pods. For example, a node can attach a VPC network interface and discover information about the EKS cluster it attaches to. While these privileges are required for the node to operate effectively, it is not usually desirable that the pods running on the node inherit these privileges.

One way to block pod IMDS access is to apply a network policy, enforced by the Amazon VPC CNI or an add-on such as Calico, to ensure pods are unable to reach the Instance Metadata Service. To do this, configure your network policy to block egress traffic to 169.254.0.0/16.

Another way to block pod IMDS access is to require IMDS version 2 (IMDSv2) to be used, and to set the maximum hop count to 1. Configuring IMDS this way will cause requests to IMDS from pods to be rejected, provided those pods do not use host networking.

Additionally, AWS recommends forbidding untrusted pods from using host networking.

Admission controllers, discussed in Use admission controllers to enforce security policies, can help enforce this prohibition.