Request-url-http-3a-2f-2f169.254.169.254-2flatest-2fmeta Data-2fiam-2fsecurity Credentials-2f Exclusive Direct

The specific sub-directories point directly to AWS IAM metadata:

The pattern http-3A-2F-2F is a dead giveaway:

It requires a request to generate a secret token ( X-aws-ec2-metadata-token ).

The attacker configures their local AWS CLI with these stolen keys and begins scanning your S3 buckets or launching new instances. IMDSv1 vs. IMDSv2: The Essential Defense The specific sub-directories point directly to AWS IAM

You can no longer just "GET" the data. You must first perform a PUT request to generate a session token, then pass that token in an HTTP header to retrieve metadata.

The attacker inputs http://169.254.169.254/latest/meta-data/iam/security-credentials/ .

If an application is compromised via SSRF, the damage is capped by the permissions of the EC2 instance's IAM role. Ensure that EC2 instances only have the absolute minimum permissions required to perform their tasks. Never attach administrative or overly broad permissions to an instance profile. 4. WAF Rules and Monitoring IMDSv2: The Essential Defense You can no longer

In response, AWS introduced , which adds defense-in-depth:

This feature is commonly used in deployment scripts running on EC2 instances to access AWS resources securely. For example, an EC2 instance might use these credentials to upload logs to S3, make changes to DynamoDB, or process data in SQS queues.

Every EC2 instance launched in AWS has access to an internal, link-local HTTP service that runs at the IP address 169.254.169.254 . This service, known as the , provides the instance with information about itself—everything from its instance ID, public hostname, and network configuration to, most critically, temporary IAM role credentials. If an application is compromised via SSRF, the

: Narrows the request down to Identity and Access Management configurations.

If you run Docker containers on EC2, the containers may share the host network and access the metadata endpoint.

Note: This exact technique was famously used in the massive Capital One data breach of 2019, resulting in the theft of over 100 million customer records. How to Secure Your Infrastructure

The IP address 169.254.169.254 is a special IPv4 address reserved for link-local communication. In cloud environments like AWS (and similarly in Google Cloud and Microsoft Azure with different paths), this address hosts the . It is only accessible from within the running cloud instance itself; it cannot be reached from the public internet. 3. The Path to IAM Credentials

When you assign an AWS Identity and Access Management (IAM) role to an EC2 instance, AWS automatically generates temporary security credentials for that role. The applications running on the EC2 instance pull these credentials directly from the metadata endpoint. A legitimate request inside the server looks like this: curl http://169.254.169 Use code with caution. The server responds with a JSON payload containing: SecretAccessKey Token (Session Token) Expiration Time