Curl-url-http-3a-2f-2f169.254.169.254-2flatest-2fapi-2ftoken

http://169.254.169.254/latest/api/token

Once upon a time in the vast cloud of Amazon Web Services (AWS) , there lived a humble EC2 instance i-0abc12345

The token endpoint itself (/latest/api/token) is less commonly seen in attack logs because it was introduced later, but as more companies migrate to IMDSv2, attackers now explicitly request the token first. curl-url-http-3A-2F-2F169.254.169.254-2Flatest-2Fapi-2Ftoken

2. Enforce IMDSv2 only

aws ec2 modify-instance-metadata-options \
    --instance-id i-12345 \
    --http-tokens required \
    --http-endpoint enabled

1. Instance Launch: When an instance is launched in AWS, it is assigned a unique instance ID and IP address.
2. Metadata Service Access: The instance can access the metadata service via the special URL http://169.254.169.254/latest/meta-data/.
3. Retrieve Metadata: The instance can retrieve metadata about itself, such as its ID, type, and IP address.
4. Retrieve Temporary Security Credentials: The instance can use the metadata service to retrieve temporary security credentials, which can be used to access other AWS resources.

Cloud providers reserve 169.254.169.254 for their instance metadata service. From inside a virtual machine (EC2 instance in AWS, Compute Engine VM in GCP, Virtual Machine in Azure), you can query this IP to get information about the instance itself without needing any external credentials. http://169

The command curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600" Once upon a time in the vast cloud

And it would directly return IAM credentials in plaintext. No authentication, no token, no headers. Any process on the VM — including a compromised web application — could get admin keys.