Prevent Agent Nodes' Unprivileged Users From Accessing EC2 Metadata

[ferricoxide]

Problem Description:

Currently, unprivileged users on agent nodes can access EC2 metadata. Given that the agent nodes and master nodes frequently are deployed using the same Instance-role, this can allow unprivileged users on the agent nodes from leveraging powers that should only be accessible from processes on the master node.

Expected Behavior:

Master and agent nodes can share an instance-role but not inherit all the same capabilities (particularly by non-privileged users)

Actual Behavior:

Unprivileged processes running on master and agent nodes sharing an instance-role inherit all the same capabilities.

Fix recommendation:

See ServerFault thread for ideas on preventing unprivileged users from gaining access to a hosting-instance's AWS metadata.

Alternately, create an agent-specific role-template that removes access to the S3 resources (and ensure agents only have that role attached).

[ferricoxide]

Note: a bad actor on an agent-node sharing an instance-role with the master node would need to know the master's S3 bucket name:

[ec2-user@jenkins-agent-02 ~]$ aws s3 ls

An error occurred (AccessDenied) when calling the ListBuckets operation: Access Denied

[ec2-user@jenkins-agent-02 ~]$ aws s3 ls s3://jenkin-s3res-jenkinss3bucket-1jsy8pje1rhp2wckjsy
                           PRE Backups/

Use of CSP-generated bucket-names should keep the probability of guessing low.