Skip to main content
Security Modules 0.71.0Last updated in version 0.44.10

ip-lockdown Module

View SourceRelease Notes

This module can lock down specified outgoing ip addresses on a Linux server such that only specific OS users can access them. The main motivation for locking down EC2 metadata is as follows:

  1. EC2 metadata gives you the credentials you need to assume any IAM role associated with the EC2 instance, and thereby, get all the permissions available in that IAM role.
  2. Locking down the metadata to, for example, only the root user, makes sure that if a hacker breaks into your server with a privileged user, they cannot get the full power of the IAM role.

This module has been tested specifically with Ubuntu, but will probably work with any Debian distribution that uses iptables.


In the example below we restrict access to ec2-instance-metadata endpoint to the users foo, bar and root. All other users on the instance will be blocked from access.

./ip-lockdown foo bar root

Normally users make a curl call to get metadata like the AWS region or credentials associated with this EC2 Instance's IAM Role. Following the invocation of ip-lockdown, only users foo, bar, and root can query that data.

The complete example of using terraform to deploy a generated AMI into your AWS account and automatically invoke ip-lockdown from the User Data is also available in the examples folder.


To use this module, you just need to:

  1. Install bash-commons on your servers.
  2. Install the ip-lockdown script on your servers.

The best way to do that is to use the Gruntwork Installer in a Packer template (make sure to replace <BASH_COMMONS_VERSION> and <MODULE_SECURITY_VERSION> below with the latest versions from the bash-commons releases page and terraform-aws-security releases page, respectively):

gruntwork-install --module-name bash-commons --tag <BASH_COMMONS_VERSION> --repo
gruntwork-install --module-name ip-lockdown --tag <MODULE_SECURITY_VERSION> --repo
IPIP address that will be locked down (outgoing access will be disabled) for all but the users specified in subequent [<USER> ... ]] argumentsRequired169.254.169.254
USERSpace separated whitelist of users who will be allowed outgoing access to specified ip addressOptionalroot (or any other OS user name)