Theft. Up to this point, you may be assuming that, to get access to IMDS, you need to have a shell session on the cloud-based syst... Yusuf TEZCAN AWS EC2 Credentials Theft via SSRF Abuse - Hacking Articles
Every EC2 instance launched in AWS has access to an internal, link-local HTTP service that runs at the IP address 169.254.169.254 . This service, known as the , provides the instance with information about itself—everything from its instance ID, public hostname, and network configuration to, most critically, temporary IAM role credentials.
Block requests attempting to resolve to private, local, or loopback IP ranges (such as 127.0.0.1 and 169.254.169.254 ). 4. Restrict Container Access (Bridge Networking)
The specific URL in our focus, request-url-http-3A-2F-2F169.254.169.254-2Flatest-2Fmeta data-2Fiam-2Fsecurity credentials-2F/ , represents a URL-encoded version of the most sensitive endpoint within the IMDS: http://169.254.169.254/latest/meta-data/iam/security-credentials/ . The URL encoding ( http-3A-2F-2F for http:// , -2F for / , and -2Fmeta data-2F for /meta data/ ) is often used by attackers to obfuscate the request or bypass simple pattern-matching security controls in web applications. It is a classic SSRF payload designed to make a server request data from its own metadata service.
/latest/meta-data/ : Accesses the core configuration details of the active EC2 instance. This service, known as the , provides the
This public link is valid for 7 days and shares a thread, including any personal information you added. This link or copies made by others cannot be deleted. If you share with third parties, their policies apply. Can’t copy the link right now. Try again later.
Web servers log incoming traffic or application inputs using specific encodings to handle special characters. decodes to a colon ( : ). 2F decodes to a forward slash ( / ).
These credentials are used by the AWS SDKs and CLI to authorize actions on behalf of the instance. Example Request and Response
(AWS)
However, it's also crucial to be aware of potential risks. For example, if an application or a user can read the metadata service, they can access these credentials. AWS provides mechanisms to help mitigate these risks, including the ability to restrict access to the metadata service through mechanisms like IMDSv2.
This article explores what this URI does, why it is a target, and how to secure your infrastructure against its misuse. What is 169.254.169.254 ?
This URL is the textbook example of a Server-Side Request Forgery (SSRF) vulnerability within a cloud environment.
: This final part of the path specifies that the request is looking for IAM (Identity and Access Management) security credentials. IAM is a service that enables AWS customers to manage access to AWS resources. why it is a target
A request to http://169.254.169.254/latest/meta-data/iam/security-credentials/ returns a list of IAM roles attached to the instance.
If userUrl is http://169.254.169.254/latest/meta-data/iam/security-credentials/MyRole , the server will fetch and leak the credentials.
Ensure that the IAM roles attached to your EC2 instances have the absolute minimum permissions required to perform their tasks. Even if an attacker steals the credentials, their impact is limited if the role cannot access sensitive data or modify infrastructure. Use Network Firewalls and Security Groups