To help evaluate your current security posture, consider these next diagnostic steps:

This URL is used by AWS instances to retrieve temporary security credentials for making secure requests to AWS services. The breakdown of the URL is:

We can leverage this to make a request to http://169.254.169.254 . * To determine if the EC2 instance has an IAM role associated w... Hacking The Cloud What is 169.254.169.254? - Kontra Hands-on Labs 5 Nov 2024 —

AWS introduced IMDSv2 specifically to mitigate SSRF risks. Unlike IMDSv1, which relies on a simple GET request, IMDSv2 utilizes a .

: Regularly monitor the usage of these temporary credentials to detect any unauthorized access.

Do you need assistance configuring via AWS CLI or Terraform? Share public link

With these three pieces of information, an attacker can configure their local AWS CLI to impersonate the compromised server. Depending on the permissions of the IAM role, this could lead to full administrative access to the AWS account, data exfiltration from S3 buckets, or the launching of unauthorized resources. How to Prevent Metadata Exfiltration

# Step 1: Generate a Token (Valid for 6 hours / 21600 seconds) TOKEN=$(curl -X PUT "http://169.254.169" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600") # Step 2: Request the credentials using the header token curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169 Use code with caution.

Instead of providing a valid image URL, the attacker inputs http://169.254.169[role-name] .

* 169.254. 169.254 is an IP address used by cloud service providers, such as AWS, Azure, and Google Cloud, to provide metadata abo... Security Compass

An application (e.g., WordPress, Java, Node.js app) has an SSRF bug.

: The EC2 instance makes a request to the metadata service at the specified URL.