The metadata service exposes a RESTful API that allows instances to retrieve metadata about themselves. The API is accessible via the 169.254.169.254 IP address and provides a range of endpoints for retrieving different types of metadata.
This "token-backed" method effectively kills most SSRF attacks because standard SSRF vulnerabilities rarely allow an attacker to control HTTP methods (changing GET to PUT) or inject custom headers. Conclusion The metadata service exposes a RESTful API that
| Action | Why | |--------|-----| | | It would leak credentials if run on an EC2 instance. | | Block outbound requests to 169.254.169.254 | Prevent SSRF attacks at network level. | | Disable IMDSv1 | Enforce IMDSv2 (requires session token). | | Review any callback/ webhook feature | Ensure it doesn’t allow arbitrary URLs. | | Rotate IAM credentials if exposed | Assume compromise if the callback was triggered. | Conclusion | Action | Why | |--------|-----| |
callback-url=http://169.254.169.254/latest/meta-data/iam/security-credentials/ | | Review any callback/ webhook feature |