summaryrefslogtreecommitdiff
path: root/cloudinit/ec2_utils.py
diff options
context:
space:
mode:
authorAndrew Jorgensen <ajorgens@amazon.com>2016-11-01 10:54:31 -0400
committerScott Moser <smoser@brickies.net>2017-01-20 13:48:08 -0500
commitb71592ce0e0a9f9f9f225315015ca57b312ad30d (patch)
tree785f47c903b57b5b32cc59f69a1eab4431da0d38 /cloudinit/ec2_utils.py
parent145410f81c144a46cf5ce0324ff4454fa9f54ad0 (diff)
downloadvyos-cloud-init-b71592ce0e0a9f9f9f225315015ca57b312ad30d.tar.gz
vyos-cloud-init-b71592ce0e0a9f9f9f225315015ca57b312ad30d.zip
EC2: Do not cache security credentials on disk
On EC2, instance metadata can include credentials that remain valid for as much as 6 hours. Reading these and allowing them to be pickled represents a potential vulnerability if a snapshot of the disk is taken and shared as part of an AMI. This skips security-credentials when walking the meta-data tree. LP: #1638312 Reviewed-by: Ian Weller <iweller@amazon.com> Reviewed-by: Ben Cressey <bcressey@amazon.com> Reported-by: Kyle Barnes <barnesky@amazon.com>
Diffstat (limited to 'cloudinit/ec2_utils.py')
-rw-r--r--cloudinit/ec2_utils.py3
1 files changed, 3 insertions, 0 deletions
diff --git a/cloudinit/ec2_utils.py b/cloudinit/ec2_utils.py
index c656ef14..0c16ae47 100644
--- a/cloudinit/ec2_utils.py
+++ b/cloudinit/ec2_utils.py
@@ -82,6 +82,9 @@ class MetadataMaterializer(object):
field_name = get_name(field)
if not field or not field_name:
continue
+ # Don't materialize credentials
+ if field_name == 'security-credentials':
+ continue
if has_children(field):
if field_name not in children:
children.append(field_name)