IMDSv2 adds using PUT :
Given the severity of these threats, a comprehensive defense is required.
These credentials are by AWS, making them significantly safer than permanent keys. The Risk: SSRF and Metadata Exploitation
Protecting against metadata service abuse requires multiple layers. No single control is sufficient. IMDSv2 adds using PUT : Given the severity
In a standard SSRF attack, an attacker provides this URL to a vulnerable application feature—such as a "URL uploader" or a "webhook callback" field. Because the request originates from inside the server’s trusted network, the Metadata Service assumes the request is legitimate and returns the instance's private credentials to the attacker. This effectively grants the attacker the same permissions as the server itself, potentially leading to full cloud environment compromise. The Evolution of Defense: IMDSv1 vs. IMDSv2
This is an ordinary web address. The IP 169.254.169.254 is a link-local address reserved exclusively for the AWS Instance Metadata Service (IMDS) . This service provides EC2 instances with internal data, most critically the temporary IAM role credentials used by applications to authenticate with AWS APIs.
callback-url-http-3A-2F-2F169.254.169.254-2Flatest-2Fmeta data-2Fiam-2Fsecurity credentials-2F No single control is sufficient
Use firewalls and network segmentation to prevent unexpected outbound traffic from your application. Conclusion
AWS provides the Instance Metadata Service (IMDS) at the non-routable IP address 169.254.169.254 . This service allows applications running on an EC2 instance to retrieve information about the instance itself without needing an external API call.
If an attacker can trick your application into "calling back" to this URL, your server will fetch its own secret AccessKeyId SecretAccessKey SessionToken and send them back to the attacker. Recommended Security Post This effectively grants the attacker the same permissions
What is Azure Active Directory? A Complete Overview - Varonis
: The EC2 instance can access the metadata service by making HTTP requests to 169.254.169.254 . This IP address is a special link-local address that is always available to EC2 instances.