Compromising a pod in a Kubernetes cluster can have disastrous consequences on resources in an AWS Elastic Kubernetes Service (EKS) account if access to the Instance Metadata service is not explicitly blocked. The Instance Metadata service is an AWS API listening on a link-local IP address. Only accessible from EC2 instances, it enables the retrieval of metadata that is used to configure or manage an instance. Although you can only access instance metadata and user data from within the instance itself, the data is not protected by authentication or cryptographic methods.
A recent blog described a scenario where an attacker compromised a pod in an EKS cluster by exploiting a vulnerability in the web application it was running, thus enabling the attacker to enumerate resources in the cluster and in the associated AWS account. This scenario was simulated by running a pod and attaching to a shell inside it.
By querying the Instance Metadata service from the compromised pod, the attacker was able to access the service and retrieve temporary credentials for the identity and access management (IAM) role assigned to the EC2 instances acting as Kubernetes worker nodes. At that point, the attacker was able to pursue multiple exploits, including mapping the network by listing and describing VPCs, subnets, and security groups exposed across the entire AWS account!
How can you remediate this vulnerability? The recommended workaround is to deploy Calico Network Policy, which will enable you to enforce network policy to deny egress traffic access to the Instance Metadata service.
For more details on the AWS Instance Metadata vulnerability as well as the complete workaround, check out this blog.
For EKS customers, Tigera offers two CNI solutions: Calico, and Calico Enterprise. Calico provides network security for hosted Kubernetes services on Amazon EKS, while Calico Enterprise builds on top of open source Calico to provide additional functionality and capabilities for Kubernetes networks on AWS and Amazon EKS.
Calico Enterprise can help you meet security and regulatory requirements with Zero-Trust Network Security, including least privilege access controls, as well as an Intrusion Detection System (IDS) that provides multiple layers of threat defense. Plus, it integrates with your existing AWS tools including CloudWatch and Security Hub so you can leverage existing processes and workflows in your EKS or Kubernetes infrastructure.
Free Online Training
Access Live and On-Demand Kubernetes Training
Calico Enterprise – Free Trial
Network Security, Monitoring, and Troubleshooting
for Microservices Running on Kubernetes