Applications running on the instance can query this service without needing to hardcode credentials or configuration. For example, a web server can automatically discover which security groups it belongs to, or an application can retrieve temporary AWS credentials attached to the instance’s IAM role.
Add a drop rule for 169.254.169.254 in OS firewall or security groups for anyone except the root user. But note: legitimate services might need it. curl-url-http-3A-2F-2F169.254.169.254-2Flatest-2Fapi-2Ftoken