Request-url-http-3a-2f-2f169.254.169.254-2flatest-2fmeta Data-2fiam-2fsecurity Credentials-2f Repack -

In some cases, instances don’t need IMDS at all. Disable it via instance metadata options.

SSRF occurs when an attacker can cause a web application to send a crafted request to an unexpected destination. The Attack Scenario

Curious, Alex decided to explore this location. They realized that 169.254.169.254 was a special IP address, known as the link-local address, which was used for communication between systems on the same network.

Understanding the Security Risks of AWS Metadata SSRF Attacks

Unlike IMDSv1, which uses a simple GET request, IMDSv2 requires a PUT request to establish a session, followed by a GET request with a token header. Attackers cannot easily perform a PUT request via simple SSRF. You can force IMDSv2 via the CLI:

The IP address is a link-local address used by cloud providers, most notably AWS. It is only accessible from within the running cloud instance itself. Outside internet users cannot route directly to this IP address.

The request URL http://169.254.169.254/latest/meta-data/iam/security-credentials/ represents a critical component of AWS's approach to secure and manageable access to cloud resources. By providing temporary IAM security credentials through the Instance Metadata Service, AWS enables a more secure and dynamic way of managing access from EC2 instances. As cloud environments continue to evolve, understanding and effectively utilizing such features is key to maintaining security best practices and efficient operational workflows.

(often with a %20 or hyphen) points to the instance directory.

: The EC2 instance makes a request to the metadata service at the specified URL.

If the application does not validate or restrict the input url parameter, an attacker can swap https://google.com with the AWS metadata string: https://example.com

: The EC2 instance can then use these temporary credentials to access AWS resources securely.