Request-url-http-3a-2f-2f169.254.169.254-2flatest-2fmeta Data-2fiam-2fsecurity Credentials-2f [hot] ●

http://169.254.169.254/latest/meta-data/iam/security-credentials/

endpoint is a critical AWS link-local service used to provide temporary IAM credentials to EC2 instances. While essential for legitimate automation, this endpoint is a prime target for Server-Side Request Forgery (SSRF) attacks, which can lead to credential theft and service compromise. Mitigation requires adopting IMDSv2, which introduces session-oriented requests, to prevent unauthorized access to these credentials. For a detailed technical overview, visit Hacking The Cloud Hacking The Cloud Introduction to the Instance Metadata Service 20 Dec 2020 —

Every EC2 instance has access to the instance metadata service (IMDS) that contains metadata and information about that specific E... Hacking The Cloud Steal EC2 Metadata Credentials via SSRF - Hacking The Cloud 1 Aug 2020 —

We can leverage this to make a request to http://169.254.169.254 . * To determine if the EC2 instance has an IAM role associated w... Hacking The Cloud What is 169.254.169.254? - Kontra Hands-on Labs 5 Nov 2024 —

* 169.254. 169.254 is an IP address used by cloud service providers, such as AWS, Azure, and Google Cloud, to provide metadata abo... Security Compass Understanding AWS Instance Metadata Service: A Closer Look 21 Jan 2024 —

* What is the AWS Instance Metadata Service? AWS Instance Metadata Service is a specialized service that allows AWS Elastic Comput... DEV Community Old Services, New Tricks: Cloud Metadata Abuse by UNC2903 4 May 2022 — http://169

Given that the infrastructure is hosted within Amazon Web Services cloud, IMDS is an attractive target for threat actors like UNC2... Google Cloud AWS credential compromises tied to Grafana SSRF attacks

This can expose unintended or restricted resources which only the vulnerable system should have access to, inadvertently allowing ... Introduction to the Instance Metadata Service 20 Dec 2020 —

Every EC2 instance has access to the instance metadata service (IMDS) that contains metadata and information about that specific E... Hacking The Cloud Steal EC2 Metadata Credentials via SSRF - Hacking The Cloud 1 Aug 2020 —

We can leverage this to make a request to http://169.254.169.254 . * To determine if the EC2 instance has an IAM role associated w... Hacking The Cloud What is 169.254.169.254? - Kontra Hands-on Labs 5 Nov 2024 —

* 169.254. 169.254 is an IP address used by cloud service providers, such as AWS, Azure, and Google Cloud, to provide metadata abo... Security Compass This URL is used to retrieve temporary security

The URL http://169.254.169 is a critical AWS instance metadata endpoint, frequently targeted in Server-Side Request Forgery (SSRF) attacks to steal temporary IAM credentials. Security experts recommend enforcing Instance Metadata Service Version 2 (IMDSv2) to mitigate these risks by requiring session-oriented tokens. Read the full analysis at Hacking Articles.

http://169.254.169.254/latest/meta-data/iam/security-credentials/

This URL is used to retrieve temporary security credentials for an AWS service or resource. When a request is made to this URL from within an EC2 instance, AWS returns a JSON response containing the security credentials for the IAM role attached to the instance.

Feature: Temporary Security Credential Retrieval

Why This Endpoint Is a Prime Target for Attackers

Security Analysis Report: AWS IMDSv1 Credential Exploitation Attempt

Target URL: http://169.254.169.254/latest/meta-data/iam/security-credentials/ Classification: Critical Security Event / Cloud Instance Metadata Service (IMDS) Query Context: Server-Side Request Forgery (SSRF) Attack Vector

B. Network Ingress Filtering

Implement strict validation on any user-supplied URLs. How It Works

  • Block Internal IPs: Ensure the application layer rejects requests to private IP ranges (RFC 1918), specifically 169.254.169.254.
  • URL Decoding: Security controls must decode URLs before validating them to catch obfuscated requests like the one analyzed here.

How It Works

  1. EC2 Instance Metadata Service: AWS provides a metadata service that is accessible from within EC2 instances. This service provides information about the instance and is also used to retrieve temporary security credentials.

  2. Request to Metadata Service: The EC2 instance makes a request to the metadata service at the specified URL.

  3. IAM Role Information: The request includes the path to the IAM security credentials. The metadata service uses the instance's identity to determine which IAM roles are attached to the instance.

  4. Response: The metadata service responds with a JSON document containing temporary security credentials (AccessKeyId, SecretAccessKey, and SessionToken) for the IAM role(s) associated with the instance.

  5. Using Credentials: The EC2 instance can then use these temporary credentials to access AWS resources securely.

Description

The feature allows an EC2 instance to request temporary security credentials for the IAM role(s) associated with it. This enables the instance to use these credentials to make secure requests to AWS services without needing to hard-code or store long-term access keys.

How the Metadata Service Works

Share This