Restricting cloud metadata API access
Info
ID: MS-M9018
MITRE mitigation: M1035
Many cluster-to-cloud authentication methods involve access to the node’s metadata server. Restrict access to the metadata server if it’s not necessary. This can be done at the pod level by using networking restriction tools such as network policies. Alternatively, cloud providers allow this functionality in the node\cluster level. For instance, in AWS one can restrict the hop count limit of IMDS as described here. In AKS, deploying AAD pod identity would restrict access to IMDS.
Techniques Addressed by Mitigation
| ID | Name | Use |
|---|---|---|
| MS-TA9020 | Access cloud resources | Restrict the access of pods to IMDS to restrict pods from getting access to cloud identities. |
| MS-TA9028 | Access Managed Identity credentials | Restrict the access of pods to IMDS |
| MS-TA9033 | Instance Metadata API | Restrict the access of pods to IMDS |
| MS-TA9037 | Images from a private registry | Restrict access to IMDS to prevent authentication with a private registry using cloud identities. |