Instance information disclosure by abuse of metadata urls

tl;dr block 169.254.169.254 urls from being used in your application.

Almost every cloud instance can retrieve her own metadata using metadata urls. These urls are used to retrieve metadata for the current configuration of the cloud instance. Information like security groups, public ip addresses, public keys configured, user data etc. Take a look at the docs below to find more about the metadata and attributes.

This information can be used by scripts and for automating tasks, but the caveat is that it can be abused also for information leakage about the current instance.

If a website contains some method to enter a url and retrieve data from this url (an image, page information or different), this can also be used to retrieve metadata from the server. This is information you don't want to disclose.

For example if you've secured your server behind an elastic load balancer, and hidden the internals like public ip, security groups etc, this can be retrieved by just using url http://169.254.169.254/latest/meta-data/hostname and look at the results. It is even possible to retrieve userdata, this data may contain information like database configurations.

Don't allow these urls to be retrieved within your application. Block them.

The metadata urls will vary per cloud provider, here are some:

Google http://169.254.169.254/computeMetadata/v1/

Amazon http://169.254.169.254/latest/meta-data/hostname

Openstack http://169.254.169.254/2009-04-04/meta-data/instance-id

Dreamhost http://169.254.169.254/metadata/v1/hostname