* 169.254. 169.254 is an IP address used by cloud service providers, such as AWS, Azure, and Google Cloud, to provide metadata abo... Security Compass
: This IP address is a special one in the AWS ecosystem. It is not a regular IP address but rather an address that is only accessible from within an EC2 instance. When a request is made to this IP, it does not go out of the instance but is instead handled locally by the Instance Metadata Service.
The primary attack vector used to exploit the IMDS is . An SSRF vulnerability allows an attacker to manipulate a web application into making HTTP requests to internal or otherwise restricted endpoints. If an EC2-hosted application is vulnerable to SSRF, an attacker can trick it into requesting data from the IMDS endpoint on their behalf. It is not a regular IP address but
: The attacker aims to steal the temporary credentials, which can then be used from outside the AWS environment to gain unauthorized access to your cloud resources, such as S3 buckets or other EC2 instances. IMDS Versioning :
const userUrl = req.query.url; axios.get(userUrl).then(response => res.send(response.data)); An SSRF vulnerability allows an attacker to manipulate
This specific attack vector was the methodology used in the 2019 Capital One data breach. An attacker used SSRF on a misconfigured web application firewall (WAF) to query the EC2 metadata service, steal credentials, and subsequently exfiltrate over 100 million credit card applications.
The URL http://169.254.169.254/latest/meta-data/iam/security-credentials/ is the standard endpoint for the , specifically used to retrieve temporary security credentials for an IAM role attached to an EC2 instance. Because it is link-local
, they can impersonate the instance and access any AWS resource the IAM role is permitted to use — often with devastating consequences.
In that incident, a misconfigured web application firewall (WAF) allowed the attacker to proxy requests to the metadata service. The compromised role had excessive permissions, including the ability to list and read S3 buckets. The attacker exfiltrated terabytes of sensitive data.
When code runs inside an AWS Elastic Compute Cloud (EC2) instance, it often needs information about its environment. Instead of hardcoding credentials or configuration files, the instance queries this link-local IP address. Because it is link-local, the traffic never leaves the physical host or travels over the public internet; it is strictly an internal channel between the virtual machine and the hypervisor. The Role of the IAM Security Credentials Endpoint