This forces the PUT token method — but as shown, your keyword is exactly that method, so it doesn’t prevent the attack; it only prevents IMDSv1 fallback.
This article explains:
In plaintext, the command is:
The core command represented by the keyword functions as follows:
Configure your security tools to alert on unexpected or high-frequency requests targeting 169.254.169.254 , especially if they originate from user-facing applications. curl-url-http-3A-2F-2F169.254.169.254-2Flatest-2Fapi-2Ftoken
curl-url-http-3A-2F-2F169.254.169.254-2Flatest-2Fapi-2Ftoken
: Changes the request method to PUT. IMDSv2 explicitly rejects standard GET requests to the token endpoint to block naive SSRF attempts. This forces the PUT token method — but
You must first get a token, usually by setting a time-to-live ( TTL ) header, which determines how long the token is valid.
The URL http://169.254.169.254/latest/api/token is a special address used primarily in cloud environments, notably Amazon Web Services (AWS). This IP address, 169.254.169.254 , is a link-local address that is not routable and can only be accessed from within the instance. It's used as a metadata service endpoint. IMDSv2 explicitly rejects standard GET requests to the
Understanding what 169.254.169.254 represents, how IMDSv2 works, and why attackers target the token endpoint will make you a better cloud architect, a stronger defender, or a more effective ethical hacker.
In 2019, Capital One suffered a massive data breach where an attacker exploited a SSRF vulnerability to access a server's metadata. In the older IMDSv1, a single GET request could yield sensitive IAM role credentials. AWS responded by introducing , which requires a "session-oriented" approach: Step 1 : Use a PUT request to generate a temporary token.
