Hacker News new | past | comments | ask | show | jobs | submit login

Technically, shouldn't. But in AWS' documentation for container roles, they have a note that explicitly suggests implementing a iptables rule (and even provides the iptables command) to prevent access to the instance's metadata.

http://docs.aws.amazon.com/AmazonECS/latest/developerguide/t...

That said, this is another of those "more ink should be spilled" moments, since preventing access to the instance metadata is something that you SHOULD do from a security point of view.




I don't recall Task Roles being a thing when I started using EC2 Container Service. For container security and isolation, that makes a whole lot of sense.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: