三歩あるけば物も忘れる

お腹のお肉がメタボックル

ユーザ用ツール

サイト用ツール

現在位置: 三歩あるけば物も忘れる » Aws » EC2 » InstanceMetaDataV1V2
Aws:EC2:InstanceMetaData01

目次

InstanceMetaDataV1V2

EC2インスタンスメタデータサービスの拡張により脆弱性に対する防御が強化された。

V2で何が変わったのか

AWS公式:https://aws.amazon.com/jp/blogs/news/defense-in-depth-open-firewalls-reverse-proxies-ssrf-vulnerabilities-ec2-instance-metadata-service/
参考:SSRF基礎

確認方法

aws ec2 describe-instancesで確認可能

コマンド例

aws ec2 describe-instances --query 'Reservations[].Instances[].[InstanceId, MetadataOptions]'

メタデータ取得

・Windows:https://docs.aws.amazon.com/ja_jp/AWSEC2/latest/WindowsGuide/instancedata-data-retrieval.html
・Linux:https://docs.aws.amazon.com/ja_jp/AWSEC2/latest/UserGuide/instancedata-data-retrieval.html

V1V2の挙動

挙動でも確認できます。
v2の場合は、Tokenを発行しないで「http://169.254.169.254」にアクセスすると、下記の通り401エラーが返ります。
v1の場合は、Tokenを発行しないでも「http://169.254.169.254」から結果が取得可能です。 

### V2(required)の場合
[root@]# curl http://169.254.169.254/latest/
<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
        "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
 <head>
  <title>401 - Unauthorized</title>
 </head>
 <body>
  <h1>401 - Unauthorized</h1>
 </body>
</html>

[root@]# TOKEN=`curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600"` && curl -H "X-aws-ec2-metadata-token: $TOKEN"//169.254.169.254/latest/
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100    56  100    56    0     0  16331      0 --:--:-- --:--:-- --:--:-- 18666
*   Trying 169.254.169.254:80...
* Connected to 169.254.169.254 (169.254.169.254) port 80 (#0)
> GET /latest/ HTTP/1.1
> Host: 169.254.169.254
> User-Agent: curl/7.87.0
> Accept: */*
> X-aws-ec2-metadata-token: AQAAYDJARJ0skbx71xcE9AJyMZ2pQ=0WEqzsMZwb9ZoGPpYXZr8UdRe=
>
* Mark bundle as not supporting multiuse
* HTTP 1.0, assume close after body
< HTTP/1.0 200 OK
< Accept-Ranges: bytes
< Content-Length: 27
< Content-Type: text/plain
< Date: Tue, 07 Mar 2023 12:59:30 GMT
< Last-Modified: Tue, 07 Mar 2023 12:30:20 GMT
< X-Aws-Ec2-Metadata-Token-Ttl-Seconds: 21600
< Connection: close
< Server: EC2ws
<
dynamic
meta-data
* Closing connection 0


### V1(Optional)の場合
[root@]# curl http://169.254.169.254/latest/
dynamic
meta-data

[root@]# TOKEN=`curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600"` && curl -H "X-aws-ec2-metadata-token: $TOKEN" -v/169.254.169.254/latest/
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100    56  100    56    0     0  11620      0 --:--:-- --:--:-- --:--:-- 14000
*   Trying 169.254.169.254:80...
* Connected to 169.254.169.254 (169.254.169.254) port 80 (#0)
> GET /latest/ HTTP/1.1
> Host: 169.254.169.254
> User-Agent: curl/7.87.0
> Accept: */*
> X-aws-ec2-metadata-token: AQAAYDJARJ0skbx71xcE9AJyMZ2pQ=0WEqzsMZwb9ZoGPpYXZr8UdRe=
>
* Mark bundle as not supporting multiuse
* HTTP 1.0, assume close after body
< HTTP/1.0 200 OK
< Accept-Ranges: bytes
< Content-Length: 27
< Content-Type: text/plain
< Date: Tue, 07 Mar 2023 12:57:08 GMT
< Last-Modified: Tue, 07 Mar 2023 11:06:31 GMT
< X-Aws-Ec2-Metadata-Token-Ttl-Seconds: 21600
< Connection: close
< Server: EC2ws
<
dynamic
meta-data
* Closing connection 0

,
Aws/EC2/InstanceMetaData01.txt · 最終更新: 2023/03/08 by admin