限制对GCE实例上元数据的访问 [英] Limit access to metadata on GCE instance

问题描述

是否有某种方法可以限制对内部元数据IP的访问?背景为:https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/

Is there some way to limit access to the internal metadata IP? Background is: https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/

当我用curl取回所有数据时，我可以看到我的google帐户的电子邮件地址以及其他内容.我想限制数据本身，并尽可能地访问数据.据我所知，在设置和引导过程中需要元数据.有什么办法可以解决这个问题，或者至少有某种方法可以在启动后锁定访问权限?内部防火墙只是一个有限的解决方案，因为它可以被计算机内部的人禁用.

When I fetch all the data with curl I can see the email address of my google account among other stuff. I'd like to limit the data itself and access to the data as much as possible. Metadata is required during setup and boot as far as I know. Is there some way around this or at least some way to lock down access after boot? Internal firewall is only a limited solution as it can be disabled by someone inside the machine.

推荐答案

已将访问Compute Engine元数据服务器的权限授予VM实例.您不能有选择地限制对部分内容的访问.

Permission to access the Compute Engine Metadata Server is granted to the VM instance. You cannot selectively limit access to portions.

对于大多数VM实例操作，不需要元数据.它用于启动脚本，自定义安全设置(例如SSH密钥)等项目.

For most VM instance operations, the metadata is not required. It is for items such as startup scripts, custom security settings like SSH keys, etc.

您可以通过删除VM实例的所有范围来阻止对元数据服务器的访问.

You can prevent access to the Metadata server by removing all scopes to the VM instance.

禁用对Metadata Server的访问权限意味着您无法将默认服务帐户分配给实例.对于不需要访问其他Google Cloud服务的应用程序，就可以了.

Disabling access to the Metadata Server means that you cannot assign a default service account to the instance. For apps that do not need to access other Google Cloud services, this is fine.

这使您有一个全有或全无的选择.启用对元数据的访问或禁用对元数据的访问.

This leaves you with an all or nothing choice. Either enable access to the metadata or disable access to it.

特权升级教程中的信息提供了很好的信息.如果可以破坏您的VM实例并获得本地登录名，那么您就遇到了严重的问题.为实例分配最少的特权有助于减轻对其他资源和访问信息的损害.安全最佳实践意味着您可以保护VM实例，以免发生违规行为.一旦入侵者进入机器，元数据就成为许多人关注的一个问题.

The information in Tutorial on privilege escalation provides good information. If your VM instance can be breached and a local login obtained, you have a serious problem. Assigning least privilege to the instance helps mitigate damage to other resources and accessing information. Security best practices mean that you protect the VM instance so that a breach cannot occur. Once an intruder is inside the machine, metadata is just one concern of many.

这篇关于限制对GCE实例上元数据的访问的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！