EC2 Instance Metadata Service (IMDSv1)

Description

IMDSv1 is vulnerable to server‑side request forgery (SSRF). If an application or proxy can reach http://169.254.169.254 without additional protections, attackers can fetch instance profile credentials and access AWS APIs. IMDSv2 requires a session token and a hop limit, mitigating many SSRF paths. Similar metadata endpoints exist for ECS tasks (169.254.170.2) and can be abused if tasks expose that network path.

Examples

Check Instance Metadata Options

aws ec2 describe-instances --instance-ids <id> \
  --query 'Reservations[].Instances[].MetadataOptions'

If HttpTokens is optional, IMDSv1 is enabled.

Fetch Credentials (on instance)

curl -s http://169.254.169.254/latest/meta-data/iam/security-credentials/
curl -s http://169.254.169.254/latest/meta-data/iam/security-credentials/<role>

Successful retrieval proves exposure.

Test IMDSv2 token requirement

# Expect 401 without token if IMDSv2 enforced
curl -s -o /dev/null -w "%{http_code}\n" http://169.254.169.254/latest/meta-data/
# Obtain token and use it
TOKEN=$(curl -s -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 60")
curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/iam/security-credentials/

Remediation

1. Enforce IMDSv2 everywhere
   • Set HttpTokens=required, HttpEndpoint=enabled, and reduce HttpPutResponseHopLimit (1 when possible) on all instances via launch templates and EC2 instance profiles.
2. Prevent SSRF reachability
   • Block metadata IPs in host/network firewalls and proxies; implement SSRF protections in apps (allow‑lists, URL parsers).
3. Minimize credential scope and exposure
   • Use least‑privilege instance profiles; prefer IAM Roles for Service Accounts (IRSA) on EKS; restrict ECS task metadata and use task roles; monitor STS usage for anomalies.