suppandi
04/20/2021, 3:12 AMseph
04/20/2021, 3:59 AMWS
04/20/2021, 5:31 AMseph
04/20/2021, 12:08 PMnyanshak
04/20/2021, 3:53 PMWS
04/20/2021, 3:55 PMGabriel Munoz
04/20/2021, 6:29 PM4.6.0-1
. I ran a query against the ec2_instance_metadata
table and dumping the http headers from tcpdump didn't show the x-aws-ec2-metadata-token
header with a token value as I would have expected. I used the test case example on the ticket to confirm `curl`'ing the endpoint directly would function to know I had a sane test case. I'm wondering if there is a flag to tell osquery to use imdsv2? My test instance is in a mode that allows both imdsv1 and imdsv2.nyanshak
04/20/2021, 6:30 PMGabriel Munoz
04/20/2021, 6:31 PMnyanshak
04/20/2021, 6:32 PMGabriel Munoz
04/20/2021, 6:35 PMnyanshak
04/20/2021, 6:37 PMm_tokenRequired
is set: https://github.com/aws/aws-sdk-cpp/blob/bb1fdce01cc7e8ae2fe7162f24c8836e9d3ab0a2/aws-cpp-sdk-core/source/internal/AWSHttpResourceClient.cpp#L312Gabriel Munoz
04/20/2021, 6:37 PMnyanshak
04/20/2021, 6:39 PMAws::String EC2MetadataClient::GetDefaultCredentials() const
{
std::unique_lock<std::recursive_mutex> locker(m_tokenMutex);
if (m_tokenRequired)
{
return GetDefaultCredentialsSecurely();
}
...
Gabriel Munoz
04/20/2021, 6:41 PMnyanshak
04/20/2021, 6:45 PMAre there any plans to support IMDSV2 instead of IMDSV1 for aws instance metadata. Most of accounts today disable the use of IMDSV1 due to security issuesBased on my reading of how osquery 4.6.0+ and aws-sdk-cpp work, I think this is already supported. Disabling v1 should just work going forward.
Gabriel Munoz
04/20/2021, 6:45 PMnyanshak
04/20/2021, 6:47 PMGabriel Munoz
04/20/2021, 6:51 PMnyanshak
04/20/2021, 6:54 PMuserAgent
field, example:
"userAgent": "aws-sdk-go/1.35.23 (go1.13.14; linux; amd64) amazon-ssm-agent/",
Gabriel Munoz
04/20/2021, 7:06 PMnyanshak
04/20/2021, 7:07 PMGabriel Munoz
04/20/2021, 7:07 PMnyanshak
04/20/2021, 7:09 PMGabriel Munoz
04/20/2021, 7:10 PMsuppandi
04/21/2021, 1:24 AMnyanshak
04/21/2021, 3:19 PM