ip-lockdown ModuleView SourceRelease Notes
This module can lock down specified outgoing ip addresses on a Linux server such that only specific OS users can access them. The main motivation for locking down EC2 metadata is as follows:
- EC2 metadata gives you the credentials you need to assume any IAM role associated with the EC2 instance, and thereby, get all the permissions available in that IAM role.
- Locking down the metadata to, for example, only the root user, makes sure that if a hacker breaks into your server with a privileged user, they cannot get the full power of the IAM role.
This module has been tested specifically with Ubuntu, but will probably work with any Debian distribution that uses iptables.
In the example below we restrict access to ec2-instance-metadata endpoint to the users
root. All other users on the instance will be blocked from access.
./ip-lockdown 169.254.169.254 foo bar root
Normally users make a
curl call to get metadata like the AWS region or credentials associated with this EC2 Instance's IAM Role. Following the invocation of ip-lockdown, only users foo, bar, and root can query that data.
The complete example of using terraform to deploy a generated AMI into your AWS account and automatically invoke
ip-lockdown from the
User Data is also available in the examples folder.
To use this module, you just need to:
- Install bash-commons on your servers.
- Install the
ip-lockdownscript on your servers.
The best way to do that is to use the Gruntwork Installer in a
Packer template (make sure to replace
<MODULE_SECURITY_VERSION> below with the latest versions from the bash-commons releases
page and terraform-aws-security releases
gruntwork-install --module-name bash-commons --tag <BASH_COMMONS_VERSION> --repo https://github.com/gruntwork-io/bash-commons
gruntwork-install --module-name ip-lockdown --tag <MODULE_SECURITY_VERSION> --repo https://github.com/gruntwork-io/terraform-aws-security
|IP address that will be locked down (outgoing access will be disabled) for all but the users specified in subequent
[<USER> ... ]] arguments
|Space separated whitelist of users who will be allowed outgoing access to specified ip address
|root (or any other OS user name)