Callback-url-http-3a-2f-2f169.254.169.254-2flatest-2fmeta Data-2fiam-2fsecurity: Credentials-2f

To fetch the credentials, a user or application typically follows these steps: 1. List Available Roles

This is a public internet address. It is an internal, non-routable IP address reserved for instance metadata services, specifically within Amazon Web Services (AWS) , though other clouds (Google Cloud, Azure, OpenStack) use similar endpoints.

Once you have the role name, you query it directly to get the credentials: curl http://169.254.169 To fetch the credentials, a user or application

| Action | Why | |--------|-----| | | It would leak credentials if run on an EC2 instance. | | Block outbound requests to 169.254.169.254 | Prevent SSRF attacks at network level. | | Disable IMDSv1 | Enforce IMDSv2 (requires session token). | | Review any callback/ webhook feature | Ensure it doesn’t allow arbitrary URLs. | | Rotate IAM credentials if exposed | Assume compromise if the callback was triggered. |

: With these credentials, an attacker can perform any action the server is authorized to do, such as accessing S3 buckets, modifying databases, or launching new instances. Mitigation: IMDSv2 Once you have the role name, you query

The client then includes that token in a custom HTTP header for all subsequent GET requests.

curl http://169.254.169.254/latest/meta-data/iam/security-credentials/MyAppRole | | Review any callback/ webhook feature |

When an application runs on an EC2 instance—whether it’s a web server, a backend worker, or a monitoring tool—it often needs permission to interact with AWS services like S3, DynamoDB, or SQS. Instead of hardcoding access keys in your code, which is a major security risk, you attach an to the instance.