3

Context: My company has private API that we only expose to our our employees and vendors who need access to it. That being said there are a few parts of it that don't require login to view, namely the status-check and login endpoints.

As a part of debugging, right now we include the AWS Instance ID whenever any error occurs. Here is an example of the information that the API may return on a failed login:

NOTE: This is pseudo-data and our actual API responses are different.

{
    "status": {
        "code": 400,
        "name": "Bad Request",
        "description": "This request is missing data or contains invalid information."
    },
    "error_data": {
        "environment": "PRODUCTION",
        "instance": "i-0b22b2d35aaaaaaaa",
        "message": "Failed to login"
    }
}

In the past we have found this to be very useful for tracking down EC2 specific issues (usually low memory, low disk space, and/or nginx needs to be restarted).

My Question: Does exposing the AWS Instance ID cause any security concerns and/or is there any reason not to?

It would also be helpful if there was a better way to identify individual instances, if the instance ID shouldn't be exposed?

Nicholas Summers
  • 133
  • 6
  • 2
    I'd say it's safe to expose. It gives an opponent no real info about how the infrastructure is set up, and it's only usable if they've got access to your AWS to do something with it, at which point you're already screwed. – ceejayoz Jul 16 '18 at 18:38
  • Duplicate question: https://serverfault.com/questions/571829/is-it-dangerous-to-reveal-my-ec2-instance-id – benjimin Mar 05 '23 at 08:59

1 Answers1

7

Yes, it is safe to expose an AWS instance ID.

You can find many posts of AWS personnel in AWS forums, asking users to post their instance id so they can have a look and then they're like "Yea, I can see the issue..." So I guess it is safe.

Here's an example: https://forums.aws.amazon.com/thread.jspa?threadID=24525

M. Glatki
  • 1,964
  • 1
  • 17
  • 33
Itai Ganot
  • 10,644
  • 29
  • 93
  • 146
  • 1
    Thank you that's helpful. However, ideally this would be backed up by some documentation from AWS explicitly saying it's OK. Assuming no one come up with something like that in 24 hours I will mark your answer as correct. – Nicholas Summers Jul 16 '18 at 18:53
  • I tried to find some official post about it but to no avail, Thanks. – Itai Ganot Jul 16 '18 at 18:55
  • @NicholasSummers I doubt you'll find official docs on this - it's in parts up the individual organization. I'd bet the NSA would fire you for exposing an instance ID, but I won't fire you from my dev team. – ceejayoz Jul 16 '18 at 19:00
  • 3
    What can you do with an instance ID? Nothing, unless you have appropriate permission. If your VPC / instances / account are appropriately secured (they are quite secure by default unless you make them insecure) then you have nothing to worry about sharing instance IDs. – Tim Jul 16 '18 at 19:25
  • 4
    If nothing else, just use a truncated form of the instance-id in the responses. Keeping only 8 characters and any ambiguity remains extremely unlikely, yet the 9 hex digits you discarded represent 68,719,476,736 possible instances that could have started with the value you do display. – Michael - sqlbot Jul 16 '18 at 23:10
  • With an instance id you only can read its data or stop/start/destroy the instance *if* you have the IAM credentials. But likely with a credentials capable of operate on an instance id you'll be able to make a describe instances call to get all the instance ids. So there's no problem at all in disclosing it, without a proper IAM keys there's noting to fear, and if someone steal a pivileged IAM keys you surely will be owned even if the thief ignores the instance ids. – theist Jul 18 '18 at 19:07
  • For me, I believe that AWS instance IDs are safe. I have extensively studied AWS security, and I am an MVP in security. I have the AWS Security Specialty certification. In all the AWS documentation, training materials, etc. the security of instance IDs is never brought up. The lack of a positive that instance IDs are secure does not make them secure. However, I do not know of a way to breach AWS (in any form) with just an instance ID. – John Hanley Jul 18 '18 at 19:15
  • @JohnHanley What do you think about my question ["Is open-source infrastructure safe?"](https://serverfault.com/questions/978289/is-open-source-infrastructure-safe) ? – Shadi Aug 07 '19 at 12:28