On Tue, Sep 02, 2025 at 09:19:51AM -0400, Jonathan Proulx wrote: > Restricting access to metadata would be a surprising default as other > Distribitions and cloud platforms (AWS ) don't so there's pretty wide > expectation that unpriveleged users can get this information.
IMDS is open to all users on AWS by default, but they do have their session-based IMDSv2 with additional IP TTL based restrictions intended to protect against unauthorized access over bridged or proxied interfaces. It's possible to block access to the original non session based interface. [1] Microsoft is developing a Guest Proxy Agent for Azure that attempts to provide IMDS access policy enforcement on the client side. The default behavior of this proxy will be to block IMDS access to non-root users. [2] (I wonder what this agent would do if deployed on OpenStack...) So there is work being done to control IMDS access in commercial clouds. What is the current best practice in the OpenStack community? Is there a better interface than the iptables CLI for configuring policy-based IMDS access? That seems like a better direction to take. noah 1. https://aws.amazon.com/blogs/security/get-the-full-benefits-of-imdsv2-and-disable-imdsv1-across-your-aws-infrastructure/ 2. https://github.com/Azure/GuestProxyAgent
