[Security] Enable IMDSv2 support in Filebeat, Auditbeat and others #22101
Comments
botelastic
bot
added
the
needs_team
kholia
changed the title
|
Pinging @elastic/security-external-integrations (Team:Security-External Integrations) |
botelastic
bot
removed
the
needs_team
|
Pinging @elastic/integrations (Team:Integrations) |
|
Requesting for feedback on this request. Customer is currently working with a temporary workaround (IAMUSER) but is awaiting outlook to use IAMROLE. Current workaround is under Security vulnerability-exception, but this will expire this week and in order to request extension our customer Ikano Bank is requesting clarity on expected timelines when this is planned to be added. This will allow them to request an extension on the current Security exception in place. The pending change prevents additional AWS sources to be incorporated in their service and is a blocker for further growth in their current implementation. |
martijnbakkerelastic
changed the title
|
@martijnbakkerelastic I think this is the issue with the IAM USER/ROLE #19393 |
martijnbakkerelastic
changed the title
|
Greetings! AWS IMDSv2 was released in November 2019. One pandemic later, I don't consider myself as an early adopter of AWS IMDSv2. We plan to completely get rid of IMDSv1 in our AWS EC2 fleet and at the moment, Filebeat is a blocker for our project. I've looked at the code and identified that the function we need to update is here: https://github.com/elastic/beats/blob/master/libbeat/processors/add_cloud_metadata/provider_aws_ec2.go#L29 Based on the AWS documentation, we need to:
Is there anything else I'm not seeing that could complicate things? From what I understand, IMDSv2 is available on all EC2 instances out of the box, so this change would not be a breaking one. So, could we push this feature on the beats roadmap? Thank you very much!! 😄 |
IMDSv2 adds defense in depth against open firewalls, reverse proxies, and SSRF vulnerabilities with enhancements to the EC2 Instance Metadata Service (IMDS).
https://aws.amazon.com/blogs/security/defense-in-depth-open-firewalls-reverse-proxies-ssrf-vulnerabilities-ec2-instance-metadata-service/ has the details.
A bunch of projects (e.g. https://pypi.org/project/ec2-metadata/) have started using IMDSv2,
https://pypi.org/project/ec2-metadata/ says,
In November 2019, AWS released version 2 of the instance metadata service. It’s more secure against Server Side Request Forgery (SSRF) attacks. ec2-metadata now uses it exclusively. You can therefore consider disabling version 1, as per AWS’ guide.Related: https://www.elastic.co/guide/en/beats/auditbeat/current/add-cloud-metadata.html. The
The add_cloud_metadata processorshould use IMDSv2 on AWS.The text was updated successfully, but these errors were encountered: