Aws:EC2:InstanceMetaData01
InstanceMetaDataV1V2
EC2インスタンスメタデータサービスの拡張により脆弱性に対する防御が強化された。
V2で何が変わったのか
AWS公式:https://aws.amazon.com/jp/blogs/news/defense-in-depth-open-firewalls-reverse-proxies-ssrf-vulnerabilities-ec2-instance-metadata-service/
参考:SSRF基礎
確認方法
aws ec2 describe-instancesで確認可能
コマンド例
aws ec2 describe-instances --query 'Reservations[].Instances[].[InstanceId, MetadataOptions]'
メタデータ取得
・Windows:https://docs.aws.amazon.com/ja_jp/AWSEC2/latest/WindowsGuide/instancedata-data-retrieval.html
・Linux:https://docs.aws.amazon.com/ja_jp/AWSEC2/latest/UserGuide/instancedata-data-retrieval.html
V1V2の挙動
挙動でも確認できます。
v2の場合は、Tokenを発行しないで「http://169.254.169.254」にアクセスすると、下記の通り401エラーが返ります。
v1の場合は、Tokenを発行しないでも「http://169.254.169.254」から結果が取得可能です。
### V2(required)の場合 [root@]# curl http://169.254.169.254/latest/ <?xml version="1.0" encoding="iso-8859-1"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title>401 - Unauthorized</title> </head> <body> <h1>401 - Unauthorized</h1> </body> </html> [root@]# TOKEN=`curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600"` && curl -H "X-aws-ec2-metadata-token: $TOKEN"//169.254.169.254/latest/ % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 56 100 56 0 0 16331 0 --:--:-- --:--:-- --:--:-- 18666 * Trying 169.254.169.254:80... * Connected to 169.254.169.254 (169.254.169.254) port 80 (#0) > GET /latest/ HTTP/1.1 > Host: 169.254.169.254 > User-Agent: curl/7.87.0 > Accept: */* > X-aws-ec2-metadata-token: AQAAYDJARJ0skbx71xcE9AJyMZ2pQ=0WEqzsMZwb9ZoGPpYXZr8UdRe= > * Mark bundle as not supporting multiuse * HTTP 1.0, assume close after body < HTTP/1.0 200 OK < Accept-Ranges: bytes < Content-Length: 27 < Content-Type: text/plain < Date: Tue, 07 Mar 2023 12:59:30 GMT < Last-Modified: Tue, 07 Mar 2023 12:30:20 GMT < X-Aws-Ec2-Metadata-Token-Ttl-Seconds: 21600 < Connection: close < Server: EC2ws < dynamic meta-data * Closing connection 0
### V1(Optional)の場合 [root@]# curl http://169.254.169.254/latest/ dynamic meta-data [root@]# TOKEN=`curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600"` && curl -H "X-aws-ec2-metadata-token: $TOKEN" -v/169.254.169.254/latest/ % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 56 100 56 0 0 11620 0 --:--:-- --:--:-- --:--:-- 14000 * Trying 169.254.169.254:80... * Connected to 169.254.169.254 (169.254.169.254) port 80 (#0) > GET /latest/ HTTP/1.1 > Host: 169.254.169.254 > User-Agent: curl/7.87.0 > Accept: */* > X-aws-ec2-metadata-token: AQAAYDJARJ0skbx71xcE9AJyMZ2pQ=0WEqzsMZwb9ZoGPpYXZr8UdRe= > * Mark bundle as not supporting multiuse * HTTP 1.0, assume close after body < HTTP/1.0 200 OK < Accept-Ranges: bytes < Content-Length: 27 < Content-Type: text/plain < Date: Tue, 07 Mar 2023 12:57:08 GMT < Last-Modified: Tue, 07 Mar 2023 11:06:31 GMT < X-Aws-Ec2-Metadata-Token-Ttl-Seconds: 21600 < Connection: close < Server: EC2ws < dynamic meta-data * Closing connection 0
Aws/EC2/InstanceMetaData01.txt · 最終更新: 2023/03/08 by admin