Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support IMDSv2 for AWS authentication #2482

Closed
nhw76 opened this issue Jun 22, 2020 · 3 comments · Fixed by #2489
Closed

Support IMDSv2 for AWS authentication #2482

nhw76 opened this issue Jun 22, 2020 · 3 comments · Fixed by #2489

Comments

@nhw76
Copy link
Contributor

nhw76 commented Jun 22, 2020

The original AWS instance metadata service that is used in OPA (IMDSv1) is vulnerable to SSRF attacks, whereby an attacker uses a misconfigured WAF/upload capability/etc. to disclose the credentials inappropriately. This vulnerability is known to have been involved in significant attacks on AWS-hosted applications.

In many environments, adoption of IMDSv2 (which is session-based vs. request/response for v1) is becoming mandatory as technology risk functions look to minimize the vulnerability surface.

Since OPA depends on a bespoke implementation of IMDSv1 for AWS credential management, that implementation will need to be upgraded for IMDSv2, rather than benefiting automatically through SDK integration.

ref. also #1340 and #1600 for more discussion of the cost/benefit of this integration approach
@tsandall
Copy link
Member

@nhw76 thanks for filing this. This is a good issue for someone with relevant experience to contribute to. Since we already implement IMDSv1, supporting IMDSv2 should follow a similar pattern fairly easily.

@nhw76 are you interested/available to implement this?

@nhw76
Copy link
Contributor Author

nhw76 commented Jun 24, 2020

@tsandall happy to!

@nhw76 nhw76 mentioned this issue Jun 24, 2020
Merged
@nhw76
Copy link
Contributor Author

nhw76 commented Jun 25, 2020

@tsandall @patrick-east I think the linked PR covers the requirement - let me know what you think.

patrick-east pushed a commit that referenced this issue Jun 26, 2020
@nhw76 @patrick-east
Implement IMDSv2 for AWS metadata service
d60c9fe 
Fixes: #2482
Signed-off-by: Nick Williams <nhw@me.com>
@anderseknert anderseknert mentioned this issue Dec 24, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
Open Policy Agent
Archived in project
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Implement IMDSv2 for AWS metadata service
3 participants
@tsandall @patrick-east @nhw76