Block non-root access to EC2 instance metadata endpoint

furkansahin · claude · furkansahin · commit d502d3f42c32 · 2026-02-19T16:44:34.000+01:00
Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/common/assets/imds-protection.nftables.conf b/common/assets/imds-protection.nftables.conf
@@ -0,0 +1,17 @@
+#!/usr/sbin/nft -f
+
+flush ruleset
+
+table inet imds_protection {
+    chain output {
+        type filter hook output priority 0; policy accept;
+
+        # Allow root to access IMDS
+        meta skuid 0 ip daddr 169.254.169.254 accept
+        meta skuid 0 ip6 daddr fd00:ec2::254 accept
+
+        # Block all other users from accessing IMDS
+        ip daddr 169.254.169.254 drop
+        ip6 daddr fd00:ec2::254 drop
+    }
+}
diff --git a/common/assets/imds-protection.service b/common/assets/imds-protection.service
@@ -0,0 +1,12 @@
+[Unit]
+Description=Block non-root access to EC2 instance metadata
+DefaultDependencies=no
+Before=network-pre.target
+Wants=network-pre.target
+
+[Service]
+Type=oneshot
+ExecStart=/bin/sh -c 'grep -qi amazon /sys/devices/virtual/dmi/id/sys_vendor 2>/dev/null && nft -f /etc/nftables.conf || true'
+
+[Install]
+WantedBy=multi-user.target
diff --git a/common/setup_base.sh b/common/setup_base.sh
@@ -112,4 +112,11 @@ usermod --append --groups cert_readers prometheus
 echo "[setup_base.sh] Restricting su to sudo group..."
 echo -e '\nauth required pam_wheel.so group=sudo\n' | tee -a /etc/pam.d/su
 
+echo "=== [setup_base.sh] Setting up IMDS protection ==="
+
+apt-get install -y nftables
+cp /tmp/common/assets/imds-protection.nftables.conf /etc/nftables.conf
+cp /tmp/common/assets/imds-protection.service /etc/systemd/system/imds-protection.service
+systemctl enable imds-protection.service
+
 echo "=== [setup_base.sh] Complete ==="
