The specific path /latest/meta-data/iam/security-credentials/ is designed to provide temporary (Access Key ID, Secret Access Key, and Session Token) to authorized applications. Anatomy of the Attack Payload
Set the HttpTokens option to required and set the HttpPutResponseHopLimit to 1 . This prevents the metadata from being accessible to containers or proxies that might be running on the instance, as the metadata request cannot pass through more than one network hop. 3. Implement Principle of Least Privilege
You can enforce this when launching an instance, or update existing instances using the CLI:
The exact string represents a classic, highly dangerous payload used in cloud security exploits. When decoded, this URL targets a vulnerability known as Server-Side Request Forgery (SSRF) . It explicitly attempts to extract AWS Identity and Access Management (IAM) temporary security credentials directly from a cloud instance. It explicitly attempts to extract AWS Identity and
169.254.169.254 is the crown jewels of AWS internal networking. Its appearance in plaintext outside an EC2 instance is a five-alarm fire.
The path /latest/meta-data/iam/security-credentials/ specifically relates to retrieving IAM (Identity and Access Management) security credentials for an instance. IAM is a service that enables AWS customers to manage access to AWS resources by creating and managing user identities, then granting permissions to access those resources.
: Because the request originates from within the cloud instance, the cloud metadata service trusts it implicitly under older protocols. It responds with the names of active IAM profiles. To bypass this restriction
The most effective mitigation is to move from IMDSv1 to . Unlike v1, which only requires a simple HTTP request, IMDSv2 requires a session-oriented token, which mitigates many common SSRF vulnerabilities.
This public link is valid for 7 days and shares a thread, including any personal information you added. This link or copies made by others cannot be deleted. If you share with third parties, their policies apply. Can’t copy the link right now. Try again later.
An attacker cannot query 169.254.169.254 from the public internet because link-local addresses are non-routable outside the local host. To bypass this restriction, attackers use SSRF. their policies apply.
Use local firewall rules (iptables) on the server to restrict which users or processes can access the metadata IP.
This threat actor exploited an SSRF flaw in Adminer (CVE-2021-21311) to steal credentials from IMDS, demonstrating that this attack vector has been weaponized by advanced persistent threat groups for years.
: You must first perform a PUT request to get a token before you can request metadata.
Disable IMDSv1 and require IMDSv2 on all EC2 instances.
