Request-url-http-3a-2f-2f169.254.169.254-2flatest-2fmeta Data-2fiam-2fsecurity Credentials-2f !full!
http://169.254.169.254/latest/meta-data/iam/security-credentials/
Immediate Consequences:
- Credential Theft: The attacker obtains valid, temporary AWS credentials.
- Privilege Escalation: These credentials provide the exact permissions assigned to the compromised EC2 instance's IAM role.
- Lateral Movement: If the IAM role has broad permissions (e.g.,
S3FullAccess,AdministratorAccess), the attacker can use these credentials from their local machine to access other resources in the AWS account (S3 buckets, RDS databases, Lambda functions).
- How it works: IMDSv2 requires a session token. A request must first
PUTa request to retrieve a token, and then use that token in theGETrequest for metadata. - The Defense: Standard SSRF attacks (like the one implied by this URL) are simple HTTP GET requests. Because the attacker cannot execute the initial
PUTcommand easily within an SSRF context, theGETrequest fails. - Action: Enforce IMDSv2 on all EC2 instances and disable IMDSv1 (which is the vulnerable version targeted by this URL).
The response might look like:
This URL is used to retrieve temporary security credentials for an AWS service or resource. When a request is made to this URL from within an EC2 instance, AWS returns a JSON response containing the security credentials for the IAM role attached to the instance. http://169
Credential Security: The credentials provided through this service are temporary and are meant for use by the EC2 instance to access AWS resources. Proper handling and security practices are crucial to prevent misuse. Credential Theft: The attacker obtains valid, temporary AWS