Skip to content

Restricting cloud metadata API access


ID: MS-M9018
MITRE mitigation: M1035

Many cluster-to-cloud authentication methods involve access to the node’s metadata server. Restrict access to the metadata server if it’s not necessary. This can be done at the pod level by using networking restriction tools such as network policies. Alternatively, cloud providers allow this functionality in the node\cluster level. For instance, in AWS one can restrict the hop count limit of IMDS as described here. In AKS, deploying AAD pod identity would restrict access to IMDS.

Techniques Addressed by Mitigation

ID Name Use
MS-TA9020 Access cloud resources Restrict the access of pods to IMDS to restrict pods from getting access to cloud identities.
MS-TA9028 Access Managed Identity credentials Restrict the access of pods to IMDS
MS-TA9033 Instance Metadata API Restrict the access of pods to IMDS
MS-TA9037 Images from a private registry Restrict access to IMDS to prevent authentication with a private registry using cloud identities.