https://github.com/cperciva/imds-filterd

Intercepts and filters requests to the EC2 Instance Metadata Service
https://github.com/cperciva/imds-filterd

ec2 ec2-instance-metadata instance-metadata security security-hardening

Last synced: 13 days ago
JSON representation

Intercepts and filters requests to the EC2 Instance Metadata Service

• Host: GitHub
• URL: https://github.com/cperciva/imds-filterd
• Owner: cperciva
• License: other
• Created: 2020-01-24T00:01:39.000Z (over 5 years ago)
• Default Branch: master
• Last Pushed: 2021-02-06T07:02:14.000Z (about 4 years ago)
• Last Synced: 2025-04-06T06:37:42.656Z (21 days ago)
• Topics: ec2, ec2-instance-metadata, instance-metadata, security, security-hardening
• Language: C
• Size: 107 KB
• Stars: 71
• Watchers: 2
• Forks: 2
• Open Issues: 1
• Metadata Files:
  • Readme: README.md
  • Changelog: CHANGELOG

Awesome Lists containing this project

README

        
imds-filterd

============

**`imds-filterd`** (pronounced "I M D S Filter D") is a pair of utilities

which work together to intercept and filter requests to the EC2 Instance

Metadata Service -- or theoretically any other service at 169.254.169.254:80.

It validates requests against a configured ruleset which specifies whether

given users and groups should be allowed or denied access to certain prefixes

in the Instance Metadata Service.  For example, "root" could be granted

access to everything; most unprivileged users granted access to everything

except IAM role credentials; but the www user denied access to the entire

Instance Metadata Service in order to guard against SSRF and similar attacks.

At present this code only works on FreeBSD; we hope to support other

platforms (e.g., Linux) in the future.  (Send patches!)

Code layout

-----------

```

imds-filterd/*  -- Privileged code

  main.c        -- Initialization and event loop

  netconfig.c   -- Gathers information about the network configuration (e.g.

                   where and how to access the IMDS).

  tunsetup.c    -- Creates a virtualized environment and creates tunnels used

                   to redirect packets in and out of it.

  packets.c     -- Pushes packets in and out of the virtualized environment.

  conns.c       -- Provides a mechanism for imds-proxy to connect to the IMDS.

  ident.c       -- Provides an "ident" service used by imds-proxy.

imds-proxy/*    -- Unprivileged filtering HTTP proxy

  main.c        -- Command line parsing, initialization, and connection

                   acceptance.

  conf.c        -- Reads the configuration and performs queries against it.

  http.c        -- Handles an HTTP connection (possibly forwarding it).

  ident.c       -- Uses imds-filterd to determine the source of a request.

  request.c     -- Parses an HTTP request.

  uri2path.c    -- Extracts and normalizes the path from a Request-URI.

```