However, IMDSv2 is on older instance types or some AMIs. You must explicitly require it, either at instance launch (metadata options → v2 only ) or by setting the instance metadata service to required .
: Success allows the attacker to steal the AccessKeyId , SecretAccessKey , and Token of the IAM role attached to that server.
This URL is used in the context of AWS EC2 instances to fetch temporary security credentials. Here's a helpful text explaining what this URL is used for and how it works: However, IMDSv2 is on older instance types or some AMIs
Securing your cloud infrastructure against this specific exploit requires a multi-layered defense strategy. 1. Enforce AWS IMDSv2
When a virtual machine (VM) is launched in a cloud environment, it's assigned an instance ID and a set of metadata, including information about the instance's configuration, networking, and storage. The metadata service provides a way for the instance to access this metadata. This URL is used in the context of
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/MyAppRole
This specific callback URL is so critical because of the nature of the IAM credentials it exposes. These are , but they are extremely powerful. An attacker who steals these credentials can then run AWS CLI commands from their own machine, performing actions like listing S3 buckets, spinning up new instances, or reading databases, all while appearing as a legitimate service. Enforce AWS IMDSv2 When a virtual machine (VM)
What or logs triggered this alert (e.g., AWS GuardDuty, WAF logs)?
The URL you provided is a common payload used in Server-Side Request Forgery (SSRF)