-
Notifications
You must be signed in to change notification settings - Fork 2
/
imds.conf
39 lines (28 loc) · 1.25 KB
/
imds.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
# imds-filterd sample configuration file
# ======================================
# Lines starting with '#' are comments which are ignored.
# Blank lines are also ignored.
# Directives are of the form
# (Allow|Deny) [user name|group name] "/path/to/stuff"
# and the last matching rule applies. If no rule matches, access is denied.
# The path string must be quoted, and is a prefix; e.g. "/path/to/stuff"
# matches a request for "/path/to/stuff/which/I/need" but not a request
# for "/evil/path/to/stuff". A wildcard "*" matches any single path segment,
# e.g. "/*/foo" matches "/bar/foo" but does not match "/bar/baz/foo", and may
# not match a partial segment, i.e. "/a*" is a syntax error.
# Start by allowing access to anything
Allow "/"
# Deny access to IAM Roles and Amazon's mysterious "internal use only"
# credentials.
Deny "/*/meta-data/iam/security-credentials/"
Deny "/*/meta-data/identity-credentials/ec2/security-credentials/"
# Root gets to access everything anyway.
Allow user root "/"
# Examples
# ========
# Give a daemon access to an IAM Role:
# Allow user mydaemon "/*/iam/security-credentials/myrole"
# Give the "wheel" group access to everything:
# Allow group wheel "/"
# Blocking all access to the IMDS from a web proxy:
# Deny user www "/"