Help Center/ Elastic Cloud Server/ User Guide/ Instances/ Managing ECS Configurations/ Obtaining Metadata and Passing User Data/ Metadata Security Best Practices
Updated on 2025-08-12 GMT+08:00
View PDF
Share

Metadata Security Best Practices

Disabling Instance Metadata (When Purchasing an ECS)

If your ECS applications do not need to access metadata, disable metadata to avoid unnecessary security risks.

  1. Log in to the management console and access the Buy ECS page.

    Set the required parameters to purchase an ECS. For details, see Purchasing an ECS in Custom Config Mode.

  2. In Advanced Settings, set Metadata Access to Disable.
    Figure 1 Setting the metadata version
  3. Confirm the settings and click Submit.

Disabling Instance Metadata (For an Existing ECS)

If your ECS applications do not need to access metadata, disable metadata to avoid unnecessary security risks.

  1. Go to the ECS list.
  2. Click the ECS name to go to the ECS details page.
  3. Disable metadata access.
    Figure 2 Disabling metadata access
  4. In the Disable Metadata Access dialog box, enter YES and click OK.
    Figure 3 Disabling metadata access

Restricting the Scope of an Agency

Configure an agency to obtain temporary credentials from metadata. For details, see Accessing Other Cloud Services from ECS Using Temporary Access Keys of an Agency.

To prevent credential leakage, you need to strictly control the scope of the agency.

  • If temporary credentials are no required, do not configure an agency.
  • If temporary credentials are required, configure only necessary permissions for the agency based on the principle of least privilege (PoLP).

Accessing Metadata Using V2 (Hardening)

V2 (hardening) helps prevent most SSRF attacks on metadata.

However, this denies access using the V1 (traditional) method. To prevent this issue, use V2 (hardening) at the instance level.

  • Set the access method of services or applications in the OS to V2 (hardening) for metadata access.
  • Set Metadata Version of an ECS to Only V2 (Token). For details, see Configuring Instance Metadata Options.

Using a Firewall to Restrict Access to Metadata

If the metadata contains sensitive data, use local firewall rules to restrict access to metadata at the OS user level.

Example firewall configuration:

  • Windows

    To only allow the administrator to access custom data, enable the firewall as the administrator and run the following commands in PowerShell:

    PS C:\>$RejectPrincipal = New-Object -TypeName System.Security.Principal.NTAccount ("Everyone")

    PS C:\>$RejectPrincipalSID = $RejectPrincipal.Translate([System.Security.Principal.SecurityIdentifier]).Value

    PS C:\>$ExceptPrincipal = New-Object -TypeName System.Security.Principal.NTAccount ("Administrator")

    PS C:\>$ExceptPrincipalSID = $ExceptPrincipal.Translate([System.Security.Principal.SecurityIdentifier]).Value

    PS C:\>$PrincipalSDDL = "O:LSD:(D;;CC;;;$ExceptPrincipalSID)(A;;CC;;;$RejectPrincipalSID)"

    PS C:\>New-NetFirewallRule -DisplayName "Reject metadata service for $($RejectPrincipal.Value), exception: $($ExceptPrincipal.Value)" -Action block -Direction out -Protocol TCP -RemoteAddress 169.254.169.254 -LocalUser $PrincipalSDDL

  • Linux

    To only allow user root to access custom data, run the following command as user root:

    iptables --append OUTPUT --proto tcp --destination 169.254.169.254 --match owner ! --uid-owner root --jump REJECT

Parent Topic: Obtaining Metadata and Passing User Data