[Security] Enable IMDSv2 support in Filebeat, Auditbeat and others

[kholia]

IMDSv2 adds defense in depth against open firewalls, reverse proxies, and SSRF vulnerabilities with enhancements to the EC2 Instance Metadata Service (IMDS).

https://aws.amazon.com/blogs/security/defense-in-depth-open-firewalls-reverse-proxies-ssrf-vulnerabilities-ec2-instance-metadata-service/ has the details.

A bunch of projects (e.g. https://pypi.org/project/ec2-metadata/) have started using IMDSv2,

https://pypi.org/project/ec2-metadata/ says,

In November 2019, AWS released version 2 of the instance metadata service. It’s more secure against Server Side Request Forgery (SSRF) attacks. ec2-metadata now uses it exclusively. You can therefore consider disabling version 1, as per AWS’ guide.

Related: https://www.elastic.co/guide/en/beats/auditbeat/current/add-cloud-metadata.html. The The add_cloud_metadata processor should use IMDSv2 on AWS.

[elasticmachine]

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

[elasticmachine]

Pinging @elastic/integrations (Team:Integrations)

[martijnbakkerelastic]

Requesting for feedback on this request. Customer is currently working with a temporary workaround (IAMUSER) but is awaiting outlook to use IAMROLE. Current workaround is under Security vulnerability-exception, but this will expire this week and in order to request extension our customer Ikano Bank is requesting clarity on expected timelines when this is planned to be added. This will allow them to request an extension on the current Security exception in place.

The pending change prevents additional AWS sources to be incorporated in their service and is a blocker for further growth in their current implementation.

[emweric]

@martijnbakkerelastic I think this is the issue with the IAM USER/ROLE #19393

[JPLachance]

Greetings!

AWS IMDSv2 was released in November 2019. One pandemic later, I don't consider myself as an early adopter of AWS IMDSv2.

We plan to completely get rid of IMDSv1 in our AWS EC2 fleet and at the moment, Filebeat is a blocker for our project.

I've looked at the code and identified that the function we need to update is here: https://github.com/elastic/beats/blob/master/libbeat/processors/add_cloud_metadata/provider_aws_ec2.go#L29

Based on the AWS documentation, we need to:

• Add a PUT request on http://169.254.169.254/latest/api/token to get our token
• Add the X-aws-ec2-metadata-token: $TOKEN header in our requests to use the token

Is there anything else I'm not seeing that could complicate things?

From what I understand, IMDSv2 is available on all EC2 instances out of the box, so this change would not be a breaking one.

So, could we push this feature on the beats roadmap?

Thank you very much!! 😄