IBM Cloud Docs
Security best practices for the instance metadata service

Security best practices for the instance metadata service

IBM takes data security seriously and recommends you follow these best practices to ensure the highest level of protection for your instance metadata.

Overview

This topic describes how to configure security safeguards to protect your metadata by:

  • Disabling the metadata service for an instance or an account.
  • Limiting or not assigning trusted profiles for compute resource identities.
  • Enhancing network security.

Disable the metadata service for an instance or account

You can disable the service on an existing instance where it is enabled. See Enable or disable the instance metadata service.

Use iptables firewall to limit access on Linux

Use the iptables Linux firewall utility to create a barrier between the metadata service link local address (trusted network) and the internet (untrusted network). Defines rules that govern which traffic is allowed and which is blocked.

The following example uses Linux iptables and its owner module, based on its default installation Apache ID, to prevent the Apache Web server from accessing the metadata link local address (169.254.169.254). It uses a deny rule to reject all instance metadata requests from any process that's running as that user.

sudo iptables --append OUTPUT --proto tcp --destination 169.254.169.254 --match owner --uid-owner apache --jump REJECT

This endpoint is accessible to all commands, processes, and software applications that are running within a virtual server instance. Access to the API endpoint is not available outside the virtual server instance. This step adds another level of security.

Another alternative is to use allow rules to define access to particular users or groups. Allow rules require you to decide what software needs access to instance metadata. By defining rules, you can prevent software from accidentally accessing the metadata service if you later change the software or configuration on the instance.

You can also define group usage of the allow rules. Add and remove users from a permitted group without changing the firewall rule.

The following example prevents access to the instance metadata service by all processes, except for processes that are running in the user account trustworthy-user:

sudo iptables --append OUTPUT --proto tcp --destination 169.254.169.254 --match owner ! --uid-owner trustworthy-user --jump REJECT

Limit trusted profiles for compute resource identities

Limit trusted profiles that you create for compute resource identities. Optionally, don't assign a compute resource identity to an instance.

When you remove trusted profilesremove trusted profilesremove trusted profiles, compute resources and federated users are unlinked from the profile, and can no longer apply the trusted profile identity.

You can also update existing trusted profiles by redefining the trust relationship, assigning access policies, and updating session limits. For more information, see Updating trusted profiles.

Additional network security measures

Consider the following options for controlling network traffic to your virtual server instances:

  • Restrict access to your instances by using security groups.

  • Ensure your instance response hop limit is configured properly. An improper configuration can result in timeout errors while trying to reach the service. For more information, see Set the metadata hop limit by using the UI.

  • Set up access control lists(ACL) to control all incoming and outgoing traffic in IBM Cloud® Virtual Private Cloud. An ACL is a built-in, virtual firewall, similar to a security group. In contrast to security groups, ACL rules control traffic to and from the subnets, rather than to and from the instances.

  • Use a Virtual Private Network (VPN) for VPC to establish private connections from your remote networks to your VPCs.

  • Use IBM Cloud® Virtual Private Endpoints (VPE) for VPC to connect to supported IBM Cloud services from your VPC network by using the IP addresses of your choosing, which are allocated from a subnet within your VPC. VPEs are virtual IP interfaces that are bound to an endpoint gateway created on a per service or service instance basis.

  • Use IBM Cloud flow Logs on the VPC to monitor the traffic that reaches your instances.

  • Enable secure access to the instance metadata service. When secure access is enabled, the metadata service is accessible only to the virtual server instance by encrypted HTTP secure protocol (HTTPS).

Manage security and compliance with VPC Infrastructure Services

Security and Compliance Center can help you monitor your VPC infrastructure to validate resource configurations in your account against a profile and identify potential issues as they arise.