Restrict the instance's IAM policy to only the exact S3 buckets, databases, or services it needs to function. 3. Sanitize Application Inputs
: Decodes to /latest/meta-data/iam/security-credentials/ .
Regularly audit your AWS environment to identify any EC2 instances still using IMDSv1. You can use AWS Config rules (e.g., ec2-imdsv2-check ) or third-party security tools like Datadog to enforce and monitor this compliance. Additionally, monitor network logs for suspicious outbound requests to the metadata service, especially from applications that should not be making them. Tools like the aws-imds-packet-analyzer can help identify which processes are making IMDS calls, aiding in the transition to IMDSv2. Restrict the instance's IAM policy to only the
This IP is only accessible from within the virtual machine (VM) or container itself. It cannot be routed over the public internet.
To protect against the risks associated with 169.254.169.254 , follow these guidelines: Regularly audit your AWS environment to identify any
Are you currently running any legacy EC2 instances that still have ?
Understanding SSRF and the AWS Metadata Vulnerability The string request-url-http-3A-2F-2F169.254.169.254-2Flatest-2Fmeta data-2Fiam-2Fsecurity credentials-2F represents a URL-encoded payload frequently used by security researchers, attackers, and automated scanners. Decoded, it targets a well-known administrative endpoint: allowing them to steal data
[Attacker] ---> Sends payload to vulnerable app (e.g., "File Viewer" feature) │ ▼ [Vulnerable Server] │ (Executes internal request to 169.254.169.254) ▼ [AWS Metadata Service] │ ▼ [Vulnerable Server] (Receives AccessKeyId & SecretAccessKey) │ ▼ [Attacker] <--- Exfiltrates temporary AWS admin/role tokens
If you append the specific IAM role name to the end of that URL (e.g., .../security-credentials/my-ec2-role ), the service will return a JSON object containing: SecretAccessKey Token (Session Token) Expiration Date
The attacker configures these stolen credentials on their own local machine. They now have the exact same AWS permissions as the compromised EC2 instance, allowing them to steal data, delete resources, or deploy malware.
The URL http://169.254.169.254/latest/meta-data/iam/security-credentials/ is the standard endpoint for the , specifically used to retrieve temporary security credentials for an IAM role attached to an EC2 instance.