Skip to content
AWS Metadata Proxy for protection against SSRF
Go
Branch: master
Clone or download
willbengtson Update README iptable
Update the iptables rule to reflect what is in the example golang proxy code
Latest commit 7f39e87 Sep 17, 2018
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
README.md Update README iptable Sep 17, 2018
main.go Initial Commit Sep 17, 2018

README.md

AWS Metadata Proxy

Example AWS Metadata proxy to protect against attack vectors targetting AWS Credentials

Getting Started

Clone the repo

git clone https://github.com/Netflix-Skunkworks/aws-metadata-proxy.git
cd aws-metadata-proxy

Build the proxy

go get
go build

Network Setup

Create an iptable rule that prevents talking directly to the AWS Metadata Service except for a particular user, proxy_user in the example below. This is the user you run the proxy as on your server.

/sbin/iptables -t nat -A OUTPUT -m owner ! --uid-owner proxy_user -d 169.254.169.254 -p tcp -m tcp --dport 80 -j DNAT --to-destination 127.0.0.1:9090
You can’t perform that action at this time.