: Ensure that IAM roles have the least privilege necessary for the instance to function. This means only granting access to the resources that are needed.
iam/security-credentials/ is used specifically to retrieve the security credentials (such as temporary access keys) associated with the IAM role that an EC2 instance is launched with.
"Code" : "Success", "LastUpdated" : "2025-05-28T10:00:00Z", "Type" : "AWS-HMAC", "AccessKeyId" : "ASIA...", "SecretAccessKey" : "wJalrXUtnFEMI/K7MDENG/bPxRfiCY...", "Token" : "IQoJb3JpZ2luX2VjEHwaCXVzLW...", "Expiration" : "2025-05-28T16:00:00Z" : Ensure that IAM roles have the least
: Ensure that only authorized instances and applications can access these credentials. AWS controls access via IAM roles, ensuring that only instances with a role attached can fetch the credentials.
2F represents a forward slash /
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/MyRoleName
An SSRF vulnerability allows an attacker to make the vulnerable application send HTTP requests to arbitrary URLs. If an application takes a user-supplied URL and fetches it (e.g., “Download image from URL” or “Webhook tester”), an attacker can supply: If an application takes a user-supplied URL and
: Temporary access keys, secret keys, and session tokens. Retrieve security credentials from instance metadata
AWS introduced IMDSv2 to stop SSRF attacks. It requires a PUT request to obtain a session token before any GET to metadata. The token is valid for up to 6 hours and must be included in subsequent requests as X-aws-ec2-metadata-token . "Code" : "Success"
: Access to S3 buckets, RDS databases, or Secrets Manager can lead to massive data exfiltration.
Attackers don’t magically run curl on your instance. They need to inject this HTTP request into a context that runs on the target machine. The most common methods are: