jarreds
commented
10 months ago One thing that is unclear to me is if this setting is actually necessary for IMDSv2, but I suppose that's for another repo.
Open jarreds opened 10 months ago
jarreds
commented
10 months ago One thing that is unclear to me is if this setting is actually necessary for IMDSv2, but I suppose that's for another repo.
vyaghras
commented
10 months ago @jarreds Thanks for raising this issue. We will look in to this. Also
but I suppose that's for another repo
Can you explain which another repo you are referring to.
arnaldo2792
commented
10 months ago Hi @jarreds, I read the code in the ECS agent and ECS_AWSVPC_BLOCK_IMDS is used to configure the VPC ENI plugin. This configuration will add a blackhole rule for all the IMDS endpoints, which basically means block access to IMDS for the task. Since we don't support that setting yet throught the API, a workaround could be to block access to IMDS at the instance level as this page suggests:
Unfortunately, as I said, this will disable IMDS access at the instance level, which may not be ideal for your use case.
jarreds
commented
10 months ago @vyaghras I was referring to https://github.com/aws/amazon-ecs-agent.
@arnaldo2792 thank you for the recommendation. Unfortunately, we do need IMDS enabled on the instance. We'd simply like to block tasks from accessing it.
arnaldo2792
commented
10 months ago @jarreds, no worries! Let us take this back to the team to prioritize and check when can this be delivered.
What I'd like:
I'd to be able to configure the ECS agent to
ECS_AWSVPC_BLOCK_IMDS=true.