Fetch-url-http-3a-2f-2f169.254.169.254-2flatest-2fmeta Data-2fiam-2fsecurity Credentials-2f ((better)) Guide

AWS introduced to combat SSRF. IMDSv2 requires session‑oriented requests: a PUT request to obtain a token, which must then be used as a header in subsequent GET s. SSRF attacks that only perform simple GET requests (like most file_get_contents or curl without custom headers) will fail.

Decoding the AWS Metadata Exploit: Understanding 169.254.169.254 and SSRF

[Attacker] │ 1. Submits encoded payload: "fetch-url-http-3A-2F-2F169.254.169.254..." ▼ [Vulnerable Web Server] │ 2. Decodes payload and makes internal request to 169.254.169.254 ▼ [AWS IMDS (v1)] │ 3. Returns IAM Temporary Access Keys ▼ [Vulnerable Web Server] │ 4. Reflects the AWS keys back in the HTTP response ▼ [Attacker] (Gains unauthorized AWS cloud access) AWS introduced to combat SSRF

To retrieve IAM security credentials via this endpoint, you need to be on an EC2 instance that has an IAM role attached. Below are common methods.

Be cautious: over‑broad rules may block legitimate calls to external APIs that happen to have “metadata” in their domain. Decoding the AWS Metadata Exploit: Understanding 169

: This part of the URL refers to the metadata service endpoint. The metadata service provides information about the instance, such as its ID, type, and IP address.

This URL and the associated metadata service are powerful features of AWS that help manage access to resources securely. Proper understanding and utilization of these features are crucial for maintaining a secure and efficient cloud environment. Returns IAM Temporary Access Keys ▼ [Vulnerable Web

Now go ahead and audit your EC2 instances. Run this command to check if any of your instances still use IMDSv1: