Ensure that the IAM roles assigned to your EC2 instances only possess the bare minimum permissions required for their operational tasks. Never assign administrative privileges to an EC2 instance profile.
What is the Instance Metadata Service? The EC2 Instance Metadata Service provides important information about each individual EC2 ... Datadog Security Labs
AWS has introduced several layers of defense to prevent metadata theft. If you are managing EC2 instances, these three steps are essential: 1. Upgrade to IMDSv2 Ensure that the IAM roles assigned to your
Reject requests containing private or link-local IP ranges ( 10.0.0.0/8 , 172.16.0.0/12 , 192.168.0.0/16 , 169.254.169.254/32 ).
The attacker changes the URL to image=http://169.254.169.254/latest/meta-data/iam/security-credentials/ . Upgrade to IMDSv2 Reject requests containing private or
Understanding SSRF and the AWS Instance Metadata Service The string fetch-url-http-3A-2F-2F169.254.169.254-2Flatest-2Fmeta data-2Fiam-2Fsecurity credentials-2F represents a URL-encoded payload designed to exploit Server-Side Request Forgery (SSRF) vulnerabilities [1].
The server happily fetches the credentials and returns them in the image response. The attacker now has full access to whatever permissions the IAM role has – potentially S3, DynamoDB, or even administrative privileges. or even administrative privileges. By default
By default, in older configurations, any application running on the server can query this IP via simple HTTP GET requests without needing an API key or password.