问题
Is there some way to limit access to the internal metadata IP? Background is: https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/
When I fetch all the data with curl I can see the email address of my google account among other stuff. I'd like to limit the data itself and access to the data as much as possible. Metadata is required during setup and boot as far as I know. Is there some way around this or at least some way to lock down access after boot? Internal firewall is only a limited solution as it can be disabled by someone inside the machine.
回答1:
Permission to access the Compute Engine Metadata Server is granted to the VM instance. You cannot selectively limit access to portions.
For most VM instance operations, the metadata is not required. It is for items such as startup scripts, custom security settings like SSH keys, etc.
You can prevent access to the Metadata server by removing all scopes to the VM instance.
Disabling access to the Metadata Server means that you cannot assign a default service account to the instance. For apps that do not need to access other Google Cloud services, this is fine.
This leaves you with an all or nothing choice. Either enable access to the metadata or disable access to it.
The information in Tutorial on privilege escalation
provides good information. If your VM instance can be breached and a local login obtained, you have a serious problem. Assigning least privilege to the instance helps mitigate damage to other resources and accessing information. Security best practices mean that you protect the VM instance so that a breach cannot occur. Once an intruder is inside the machine, metadata is just one concern of many.
回答2:
You can try removing the permission compute.instances.get refer documenation from the users in order to limit the access to metadata server.
来源:https://stackoverflow.com/questions/60660924/limit-access-to-metadata-on-gce-instance