Metadata Access Disabled
Also read, metadata on GCP Compute Engine and
IP Addressing on Compute Engine VMs
Overview
Metadata (of an EC2 instance) can contain access key and secrets. This is all that is needed for account level access (this replaces the username password combo).
Hence, having this plaintext data in the metadata (or user data) of an EC2 instance (or a beanstalk instance) is problematic.
Ideal Solution - Secretes Manager
The ideal solution is to store these values in Secrets Manager and have them retrieved from Secrets Manager.
Short Term Potential Solution
If one can disable access to the metadata of an instance, that provides some level of protection. At instance launch time, there is an option to disable this value.
Summary
Instance level metadata (ec2 metadata) needs to be disabled, if there is the potential to have plaintext secrets data in the metadata.
Leave a Reply