2185249 – Register EC2 Cloud Images with IMDSv2-only AMI flag

Bug 2185249 - Register EC2 Cloud Images with IMDSv2-only AMI flag

Summary: Register EC2 Cloud Images with IMDSv2-only AMI flag

Keywords:
Status:	ASSIGNED
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	Changes Tracking
Sub Component:
Version:	39
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Stewart Smith
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	F39Changes
TreeView+	depends on / blocked

Reported:	2023-04-07 15:00 UTC by Ben Cotton
Modified:	2023-08-16 08:29 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Ben Cotton 2023-04-07 15:00:58 UTC

This is a tracking bug for Change: Register EC2 Cloud Images with IMDSv2-only AMI flag
For more details, see: https://fedoraproject.org/wiki/Changes/CloudEC2IMDSv2Only

In November 2019, AWS launched IMDSv2 (Instance Meta-Data Store version 2 - see https://aws.amazon.com/blogs/security/defense-in-depth-open-firewalls-reverse-proxies-ssrf-vulnerabilities-ec2-instance-metadata-service/ ) which provides "belt and suspenders" protections for four types of vulnerabilities that could be used to try to access the Instance Meta-Data Store available to EC2 instances. In that announcement, AWS recommended adopting IMDSv2 and restricting access to IMDSv2 only for added security. This can be done at instance launch time, or (more recently in October 2022) by providing a flag when registering an AMI to indicate that the AMI should by default launch with IMDSv1 disabled, and thus require IMDSv2.

If you encounter a bug related to this Change, please do not comment here. Instead create a new bug and set it to block this bug.

Note You need to log in before you can comment on or make changes to this bug.