Once the vulnerable server makes the request, the attacker reads the response. If the response contains IAM credentials, the attacker wins. Even if the response is not directly returned (e.g., blind SSRF), the attacker can still leverage the credentials by forcing the server to make a request to an attacker‑controlled endpoint, exfiltrating the metadata via DNS or HTTP.
: An IPv4 link-local address. In cloud environments like AWS, Microsoft Azure, and Google Cloud Platform, this address resolves to an internal metadata API accessible only from within the running virtual machine itself. Once the vulnerable server makes the request, the
: The server receives the string and strips away the URL encoding. : An IPv4 link-local address
This IP address, 169.254.169.254 , is a special link-local address recognized by all cloud providers (AWS, Azure, GCP) to access metadata about the virtual machine. This IP address, 169
Require all instances to use the newer, more secure version.
Allows a simple GET request to retrieve credentials.
AWS provides the Instance Metadata Service (IMDS) at the non-routable IP address 169.254.169.254 . This service allows applications running on an EC2 instance to retrieve information about the instance itself without needing an external API call.
Once the vulnerable server makes the request, the attacker reads the response. If the response contains IAM credentials, the attacker wins. Even if the response is not directly returned (e.g., blind SSRF), the attacker can still leverage the credentials by forcing the server to make a request to an attacker‑controlled endpoint, exfiltrating the metadata via DNS or HTTP.
: An IPv4 link-local address. In cloud environments like AWS, Microsoft Azure, and Google Cloud Platform, this address resolves to an internal metadata API accessible only from within the running virtual machine itself.
: The server receives the string and strips away the URL encoding.
This IP address, 169.254.169.254 , is a special link-local address recognized by all cloud providers (AWS, Azure, GCP) to access metadata about the virtual machine.
Require all instances to use the newer, more secure version.
Allows a simple GET request to retrieve credentials.
AWS provides the Instance Metadata Service (IMDS) at the non-routable IP address 169.254.169.254 . This service allows applications running on an EC2 instance to retrieve information about the instance itself without needing an external API call.
TSmedia, medijske vsebine in storitve, d.o.o.,
Cigaletova 15, 1000 Ljubljana,
T: +386 1 473 00 10
© TSmedia, medijske vsebine in storitve, d. o. o.
Vse pravice pridržane 1997-2025.
