AWS Service-To-Service authentication via Identity document
In AWS, Instance identity documents are signed documents that describe instance metadata such as private IP, image ID, etc. An identity document for an instance A an be obtained from instance A using a simple HTTP request to the Metadata service (at 169.254.169.254).
In the "Practical Cloud Security" book, the following Service-to-Service authentication method is described: An instance fetches its identity document and presents it to the target VM B. VM B validates the signature and deduces the caller's identity.
I have mixed feelings about this authentication mechanism. Firstly, if instance A authenticates to both instances B and C, the authentication token appears to leak (now both B and C have it). If the authentication is inside the same VPC, the IP address should provide the same guarantees as the identity document token. Finally, there appear to be no freshness guarantees inside the token.
What is the best intended use case for this authentication mechanism?
