Despite the availability of IMDSv2 since late 2019, many legacy instances and misconfigured auto-scaling groups still run IMDSv1—leaving the request-url-http-3A-2F-2F169.254.169.254-2Flatest-2Fmeta data-2Fiam-2Fsecurity credentials-2F endpoint wide open.
: The request includes the path to the IAM security credentials. The metadata service uses the instance's identity to determine which IAM roles are attached to the instance.
The URL provided refers to the . Purpose and Function
This is the most impactful and straightforward mitigation. By setting the http_tokens option to required on your EC2 instances (or in launch templates and Auto Scaling groups), you completely disable IMDSv1. This forces all metadata requests to use the session-oriented IMDSv2, effectively neutralizing the vast majority of SSRF-based credential theft attacks. AWS makes this configuration available via the AWS Console, CLI, SDKs, and infrastructure-as-code tools like Terraform.
Even with protections in place, you should monitor for attempts to access the metadata endpoint. Despite the availability of IMDSv2 since late 2019,
If a web application on the instance makes HTTP requests based on user input (e.g., fetch(user_provided_url) ), an attacker can supply http://169.254.169.254/latest/meta-data/iam/security-credentials/ and steal the instance’s IAM keys.
Thus http%3A%2F%2F → http://
169.254.169.254 is a special reserved for metadata services. It is not reachable from the public internet — only from within the virtual network of the cloud provider or from the instance itself.
IMDSv2's token-based authentication provides protection against a range of threats, including misconfigured open website application firewalls (WAFs), reverse proxies, and unpatched SSRF vulnerabilities, all of which can be exploited against IMDSv1. By default, both IMDSv1 and IMDSv2 are often enabled for backward compatibility. However, AWS strongly recommends enforcing IMDSv2-only mode as a security best practice. The URL provided refers to the
| Feature | IMDSv1 | IMDSv2 | | :--- | :--- | :--- | | | None. Simple GET requests. | Session-based tokens required. | | SSRF Protection | Highly vulnerable. | Resilient against basic SSRF. | | Request Method | GET | PUT for token, GET for data. | | Defense in Depth | Low. | High (adds multiple barriers). | | AWS Recommendation | Legacy, not recommended. | Best practice and standard. |
Protecting your cloud infrastructure requires a defense-in-depth approach. Transition to IMDSv2
This URL represents one of the most critical security touchpoints in cloud computing. To the untrained eye, it looks like a string of random numbers; to a security professional, it’s a high-stakes gateway to an organization's AWS infrastructure.
: Since the metadata service uses HTTP (not HTTPS), it's essential that this communication happens within a trusted network (like the EC2 instance's local network). AWS ensures this by only making the metadata service accessible from within the instance. This forces all metadata requests to use the
: With these temporary credentials, the instance can securely access AWS resources as permitted by the IAM role.
, attackers stole sensitive IAM credentials. For a detailed breakdown of the incident, visit Capital One Data Breach: What Happened, Impact, and Lessons
The use of URL encoding (e.g., %3A for : , %2F for / ) is a standard evasion technique used to bypass Web Application Firewalls (WAFs) or input sanitization logic that might be looking for the string 169.254.169.254 in plaintext.