Blocking docker from the instance metadata service in AWS and Openstack

One of the many benefits of docker is to contain applications in their own “stacks” which improves their security. Yet an issue is that in virtual machines running on AWS or Openstack there is a metadata service available at http://169.254.169.254 and which all docker containers can access.

This is specially troublesome when you have sensitive information in that metadata service, for example what might happen in AWS EC2 instance with instance roles. If a user inside a container queries the metadata service they would see something like this:

user@c059f8df8006:/home/user# curl http://169.254.169.254/latest/meta-data/iam/security-credentials/s3access
{
"Code" : "Success",
"LastUpdated" : "2012-04-26T16:39:16Z",
"Type" : "AWS-HMAC",
"AccessKeyId" : "AKIAIOSFODNN7EXAMPLE",
"SecretAccessKey" : "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY",
"Token" : "token",
"Expiration" : "2012-04-27T22:39:16Z"
}

In this example, the container is able to access the instance role keys, which would docker containers to access AWS resources.

Now, if we want to block access to the metadata service we could try to block the traffic from the container but that would allow a super user inside the container to unblock said protection. That’s why we have to block it from the host, for example a way to do it is adding an iptables rule:

/sbin/iptables -t nat -I PREROUTING -p tcp -d 169.254.169.254 --dport 80 -j DNAT --to-destination 1.1.1.1

After adding this rule, the containers should not be able to retrieve information of the metadata service at the host. Now:

user@c059f8df8006:/home/user# curl http://169.254.169.254/latest/meta-data/ curl: (7) Failed to connect to 169.254.169.254 port 80: Connection timed out

Let me know if this works for you or if you are able to find a way around it!

Originally published at secureandscalable.wordpress.com on August 31, 2015.