A compromised Docker image might run this command at startup, exfiltrate the token to a remote server, and silently give the attacker access to the cloud environment.
TOKEN=$(curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600") curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/
This is a request to the AWS EC2 instance metadata service (IMDSv2), which uses the IP address 169.254.169.254 — a link-local address reserved for instance metadata.
While AWS supports both versions for backwards compatibility, leaving IMDSv1 enabled leaves a window of vulnerability open. Security teams should actively enforce IMDSv2 across their cloud infrastructure. How to Enforce IMDSv2 via AWS CLI curl-url-http-3A-2F-2F169.254.169.254-2Flatest-2Fapi-2Ftoken
This command retrieves a from the AWS Instance Metadata Service Version 2 (IMDSv2). That token can then be used to access deeper metadata, including IAM role credentials. In the wrong hands, it leads to account takeover , data breaches , and cryptocurrency mining attacks .
Mastering curl http://169.254.169.254/latest/api/token : The Key to Modern AWS IMDSv2
# Step 1: Generate the token and store it in a variable TOKEN=$(curl -X PUT "http://169.254.169" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600") # Step 2: Use the token to securely access instance metadata curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169 Use code with caution. A compromised Docker image might run this command
First, get the role name (the above returns a single line if you have one role), then:
Any virtual machine running within AWS can query this IP address to discover information about itself without making an external internet request. The metadata available includes: IAM roles and temporary security credentials Instance ID, hostname, and security groups Network interface configurations User data scripts executed at launch The Evolution: IMDSv1 vs. IMDSv2
Never assign an admin role to an EC2 instance. Rotate roles frequently. Security teams should actively enforce IMDSv2 across their
Add a drop rule for 169.254.169.254 in OS firewall or security groups for anyone except the root user. But note: legitimate services might need it.
curl -H "X-aws-ec2-metadata-token: $TOKEN" \ http://169.254.169.254/latest/user-data
The AWS metadata service is a RESTful API that provides information about an instance. The service is accessible only from within the instance and is used to retrieve metadata about the instance, such as its ID, type, and IP address. The service is typically used by applications running on the instance to access other AWS resources.
curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169 Use code with caution. Why This Matters for Security
With these three strings, an attacker can impersonate your EC2 instance from anywhere in the world.