Callback-url-http-3a-2f-2f169.254.169.254-2flatest-2fmeta Data-2fiam-2fsecurity Credentials-2f _top_ | TOP-RATED – Tutorial |

The application must send a PUT request containing a specific header ( X-aws-ec2-metadata-token-ttl-seconds ) to generate a secret token.

Any process running locally on an EC2 instance can query this IP address without authentication to learn about the instance's environment. The application must send a PUT request containing

When an AWS EC2 instance is assigned an IAM role, any application or script running inside that instance can retrieve temporary AWS credentials simply by curling the URL above, followed by the role name. | Action | Why | |--------|-----| | |

| Action | Why | |--------|-----| | | It would leak credentials if run on an EC2 instance. | | Block outbound requests to 169.254.169.254 | Prevent SSRF attacks at network level. | | Disable IMDSv1 | Enforce IMDSv2 (requires session token). | | Review any callback/ webhook feature | Ensure it doesn’t allow arbitrary URLs. | | Rotate IAM credentials if exposed | Assume compromise if the callback was triggered. | | | Review any callback/ webhook feature |

If the application fails to validate this URL input, an attacker can substitute their own callback endpoint with the cloud provider's metadata IP address. The decoded structure breaks down as follows:

If an attacker gains code execution on a cloud VM—via a vulnerable web app, SSRF (Server-Side Request Forgery), or a compromised dependency—their next immediate step is almost always: