How We Leveraged the Honeycomb Network Agent for Kubernetes to Remediate Our IMDS Security Finding

Amidst routine work, a security issue was identified through a pentest, highlighting the challenges of remediating vulnerabilities with limited tooling, particularly concerning Kubernetes pods accessing the Instance Metadata Service (IMDS) in AWS EC2 instances. The focus was on transitioning from IMDS v1, which allows unauthenticated data access, to the more secure IMDS v2, which requires a session token, to prevent unauthorized access by pods. The challenge was tracing the origin of IMDS v1 calls within a Kubernetes cluster without modifying EC2 scripts or relying solely on per-instance data. This led to the development of the Honeycomb Network Agent, an open-source solution that provides enhanced visibility at the network level by capturing packet data and sending it as events for analysis. By utilizing this agent, the team efficiently identified unnecessary IMDS v1 calls, allowing them to block or address them appropriately. Upon ensuring all necessary calls were addressed, the team modified their autoscaling group launch templates to mandate IMDS v2, resolving the security issue and showcasing a blank graph in follow-up queries, indicating successful remediation.