We are heavy users of Amazon Compute Compute Cloud (EC2) at Slack — we run approximately 60,000 EC2 instances across 17 AWS regions while operating hundreds of AWS accounts. A multitude of teams own and manage our various instances. The Instance Metadata Service (IMDS) is an on-instance component that can be used to gain an…
Overview
The article discusses Slack's migration from AWS Instance Metadata Service version 1 (IMDSv1) to version 2 (IMDSv2), emphasizing the security enhancements and challenges faced during the transition. It details the methods used to identify IMDSv1 usage, the steps taken to enforce IMDSv2, and the tools developed to ensure compliance across their extensive AWS infrastructure.
What You'll Learn
How to implement AWS IMDSv2 in your EC2 instances
Why transitioning to IMDSv2 enhances security against SSRF vulnerabilities
How to monitor and enforce IMDSv2 usage across multiple AWS accounts
Prerequisites & Requirements
- Understanding of AWS EC2 and instance provisioning
- Familiarity with AWS CloudWatch and Prometheus for monitoring(optional)
Key Questions Answered
What are the main differences between IMDSv1 and IMDSv2?
How did Slack identify instances still using IMDSv1?
What steps did Slack take to enforce IMDSv2 on new instances?
What mechanisms did Slack implement to monitor IMDSv1 usage?
Key Statistics & Figures
Technologies & Tools
Some links below are affiliate links. We may earn a commission if you make a purchase.
Key Actionable Insights
1Transitioning to IMDSv2 is crucial for enhancing security in your AWS environment.By implementing IMDSv2, you reduce the risk of SSRF attacks, which can lead to unauthorized access to sensitive instance metadata.
2Utilize AWS CloudWatch metrics to monitor the use of IMDSv1 across your instances.This proactive monitoring allows you to identify and remediate instances that have not yet transitioned to IMDSv2, ensuring compliance and security.
3Leverage Terraform modules to manage instance metadata options effectively.By creating standardized modules, you can enforce IMDSv2 across multiple AWS accounts without disrupting ongoing operations.