Example AWS Metadata proxy to protect against attack vectors targetting AWS Credentials
Clone the repo
git clone https://github.com/Netflix-Skunkworks/aws-metadata-proxy.git
cd aws-metadata-proxy
Build the proxy
go get
go build
Create an iptable
rule that prevents talking directly to the AWS Metadata Service except for a particular user, proxy_user
in the example below. This is the user you run the proxy as on your server.
/sbin/iptables -t nat -A OUTPUT -m owner ! --uid-owner proxy_user -d 169.254.169.254 -p tcp -m tcp --dport 80 -j DNAT --to-destination 127.0.0.1:9090