From b2b2c2afe15c48952d57b4d01e7108f9515c5f55 Mon Sep 17 00:00:00 2001
From: Timothy Carambat <rambat1010@gmail.com>
Date: Thu, 11 Jan 2024 18:37:00 -0800
Subject: [PATCH] protect AWS CF deployments by automatically blocking metadata
 URL (#578)

---
 .../aws/cloudformation/cloudformation_create_anythingllm.json  | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/cloud-deployments/aws/cloudformation/cloudformation_create_anythingllm.json b/cloud-deployments/aws/cloudformation/cloudformation_create_anythingllm.json
index 313a4ecd..e81e16b6 100644
--- a/cloud-deployments/aws/cloudformation/cloudformation_create_anythingllm.json
+++ b/cloud-deployments/aws/cloudformation/cloudformation_create_anythingllm.json
@@ -82,7 +82,8 @@
                 "\n",
                 "#!/bin/bash\n",
                 "# check output of userdata script with sudo tail -f /var/log/cloud-init-output.log\n",
-                "sudo yum install docker -y\n",
+                "sudo yum install docker iptables -y\n",
+                "sudo iptables -A OUTPUT -m owner ! --uid-owner root -d 169.254.169.254 -j DROP\n",
                 "sudo systemctl enable docker\n",
                 "sudo systemctl start docker\n",
                 "mkdir -p /home/ec2-user/anythingllm\n",