F39 proposal: Register EC2 Cloud Images with IMDSv2-only AMI flag (Self-Contained Change proposal)
https://fedoraproject.org/wiki/Changes/CloudEC2IMDSv2Only This document represents a proposed Change. As part of the Changes process, proposals are publicly announced in order to receive community feedback. This proposal will only be implemented if approved by the Fedora Engineering Steering Committee. == Summary == In November 2019, AWS launched IMDSv2 (Instance Meta-Data Store version 2 - see https://aws.amazon.com/blogs/security/defense-in-depth-open-firewalls-reverse-proxies-ssrf-vulnerabilities-ec2-instance-metadata-service/ ) which provides "belt and suspenders" protections for four types of vulnerabilities that could be used to try to access the Instance Meta-Data Store available to EC2 instances. In that announcement, AWS recommended adopting IMDSv2 and restricting access to IMDSv2 only for added security. This can be done at instance launch time, or ([https://aws.amazon.com/about-aws/whats-new/2022/10/amazon-machine-images-support-instance-metadata-service-version-2-default/ more recently in October 2022]) by providing a flag when registering an AMI to indicate that the AMI should by default launch with IMDSv1 disabled, and thus require IMDSv2. By enabling this flag for Fedora, we provide a better security posture for Fedora users running in EC2. When an AMI is registered for IMDSv2 it is still possible to launch instances with IMDSv1 enabled by providing the right option to the RunInstances EC2 API call. The flag merely switches the default. == Owner == * Name: [[User:Trawets| Stewart Smith]] [[User:Davdunc| David Duncan]] * Email: traw...@amazon.com == Detailed Description == Attached locally to every EC2 instance, the Instance Meta-Data Service runs on a special "link local" IP address of 169.254.169.254 that means only software running on the instance can access it. For applications with access to IMDS, it makes available metadata about the instance, its network, and its storage. The IMDS also makes the AWS credentials available for any IAM role that is attached to the instance. IMDS is the primary data source for `cloud-init` on EC2, and various other utilities will also access it. The [https://aws.amazon.com/blogs/security/defense-in-depth-open-firewalls-reverse-proxies-ssrf-vulnerabilities-ec2-instance-metadata-service/ IMDSv2 announcement] gives more details as to the "belt and suspenders" protections it brings for four types of vulnerabilities that could be used to try to access the IMDS. By default, registering and then launching an AMI will launch an EC2 instance where both IMDSv1 and IMDSv2 is enabled. A recent addition to the EC2 API is the ability to register an AMI with a flag that indicates that the default behavior when launching an instance should be to have IMDSv2 enabled, and disable IMDSv1. The proposal is to (starting with Fedora 39), [https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-IMDS-new-instances.html#configure-IMDS-new-instances-ami-configuration register EC2 AMIs with this flag set as documented in the EC2 User Guide]. == Feedback == While Amazon Linux 2023 (then called AL2022) was in Tech Preview, its AMIs have been registered with this flag the [https://aws.amazon.com/about-aws/whats-new/2022/10/amazon-machine-images-support-instance-metadata-service-version-2-default/ flag was announced in October 2022]. During this time, we have not received any negative feedback about this change. The only user of IMDSv1 calls that we have so far had to migrate to IMDSv2 calls has been some internal test cases run by a service team. == Benefit to Fedora == This change will provide Fedora users on EC2 with an enhanced security posture by default. == Scope == * Proposal owners: Modify AMI registration to include the flag. No other technical work is required. * Other developers: Any remaining code that talks to IMDS that does not use IMDSv2 will need to be adapted to continue to work by default. * Release engineering: * Policies and guidelines: N/A (not needed for this Change) * Trademark approval: N/A (not needed for this Change) * Alignment with Objectives: == Upgrade/compatibility impact == No impact for existing EC2 Instances. The AMI flag only affects new instance launches. == How To Test == Testing will not change from any regular Fedora EC2 AMI. The only additional check will need to be that the parameter is set correctly. == User Experience == This change should be transparent to users. == Dependencies == No dependencies. == Contingency Plan == * Contingency mechanism: (What to do? Who will do it?) N/A * Contingency deadline: N/A * Blocks release? N/A (not a System Wide Change) == Documentation == N/A (not a System Wide Change) == Release Notes == -- Ben Cotton He / Him / His Fedora Program Manager Red Hat TZ=America/Indiana/Indianapolis ___ devel-announce mailing list -- devel-announce@lists.fedoraproject.org To unsubscribe send an email to
F39 proposal: EC2 AMIs default to the gp3 EBS volume type (Self-Contained Change proposal)
https://fedoraproject.org/wiki/Changes/CloudEC2gp3 This document represents a proposed Change. As part of the Changes process, proposals are publicly announced in order to receive community feedback. This proposal will only be implemented if approved by the Fedora Engineering Steering Committee. == Summary == In Amazon EC2, Elastic Block Store (EBS) volumes can be one of several types. These can be specified at volume creation time, including for the default volumes that are created on instance launch. An AMI will have default volumes and volume types configured. Fedora currently defaults to the gp2 volume type. This proposal is to switch to gp3 as the default volume type for Fedora. The gp3 volume type is both more flexible than gp2, and can be up to 20% cheaper per GB. == Owner == * Name: [[User:Trawets| Stewart Smith]] [[User:Davdunc| David Duncan]] * Email: traw...@amazon.com == Detailed Description == According to https://aws.amazon.com/ebs/general-purpose/ : : Amazon EBS gp3 volumes are the latest generation of general-purpose SSD-based EBS volumes that enable customers to provision performance independent of storage capacity, while providing up to 20% lower price per GB than existing gp2 volumes. With gp3 volumes, customers can scale IOPS (input/output operations per second) and throughput without needing to provision additional block storage capacity. This means customers only pay for the storage they need. For the default configuration of Fedora 37 AMIs, this means the price per-GB-per-month for the default root volume would be $0.08 rather than $0.10. The default number of provisioned IOPs would increase from 100 with gp2, to 3000 with gp3. For gp2 volumes less than 1TB, they can burst up to 3000 IOPs (see [https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/general-purpose.html#gp2-performance GP2 volume performance]), while gp3 volumes provide a constant 3000 IOPs rather than only being able to burst to that number before running out of IO credits. == Feedback == Amazon Linux 2023 has switched to gp3 over the Amazon Linux 2 default of gp2, and we have not received any negative feedback on that change. == Benefit to Fedora == The benefit for Fedora users in EC2 is that of cheaper, more predictable, higher base-IOP, and more flexible IO performance by default. Fedora will also be switching to use the latest generation in general purpose EBS volume, fitting the desire of being First. == Scope == * Proposal owners: * Change gp2 to gp3 in AMI registration. * Other developers: N/A * Release engineering: * Policies and guidelines: N/A (not needed for this Change) --> * Trademark approval: N/A (not needed for this Change) * Alignment with Objectives: == Upgrade/compatibility impact == No affect on upgrades. Existing volumes remain gp2, and the volume type can be set on instance launch if gp3 is not preferred. == How To Test == No additional testing required beyond normal Fedora testing. == User Experience == This change will be largely transparent to users who take the default configuration, and do not run into IO limits on gp2 volumes today. The change for those users will be purely in reduced costs. For users who hit the burst limits of gp2, this change will improve IOP throughput to a constant 3000 IOPS. With the default volume size there is a slight throughput change when going from gp2 to gp3 (128MB/sec to 125MB/sec). == Dependencies == No dependencies == Contingency Plan == * Contingency mechanism: (What to do? Who will do it?) N/A * Contingency deadline: N/A (not a System Wide Change) * Blocks release? N/A (not a System Wide Change) == Documentation == EC2 documentation details differences between gp2 and gp3: - https://aws.amazon.com/ebs/general-purpose/ - https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/general-purpose.html == Release Notes == -- Ben Cotton He / Him / His Fedora Program Manager Red Hat TZ=America/Indiana/Indianapolis ___ devel-announce mailing list -- devel-announce@lists.fedoraproject.org To unsubscribe send an email to devel-announce-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
