"Code": "Success",
"LastUpdated": "2023-04-12T16:55:44Z",
"Type": "AWS4",
"AccessKeyId": "ASIAQHJYEXAMPLE123",
"SecretAccessKey": "6P+RveEXAMPLEKeyHere123",
"SessionToken": "IQoJc2Vhc3QtMSJIMEYCIQCEXAMPLETokenValue123==",
"Expiration": "2023-04-12T23:55:44Z"
This specific attack vector was the methodology used in the 2019 Capital One data breach. An attacker used SSRF on a misconfigured web application firewall (WAF) to query the EC2 metadata service, steal credentials, and subsequently exfiltrate over 100 million credit card applications.
Even if credentials are leaked, the damage can be contained.
The URL http://169.254.169.254/latest/meta-data/iam/security-credentials/ is a crucial component in how AWS EC2 instances retrieve their IAM role credentials. Understanding this URL and its components can help in designing secure and efficient AWS architectures. Always consider best practices in handling and securing temporary credentials to ensure the integrity and confidentiality of AWS resources access. This specific attack vector was the methodology used
http://169.254.169.254/latest/meta-data/iam/security-credentials/
This URL is used by AWS instances to retrieve temporary security credentials for making secure requests to AWS services. The breakdown of the URL is: If a web application on the instance makes
If a server-side script executes shell commands that include user input, an attacker might inject:
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/
If a web application on the instance makes HTTP requests based on user input (e.g., fetch(user_provided_url)), an attacker can supply http://169.254.169.254/latest/meta-data/iam/security-credentials/ and steal the instance’s IAM keys. damage is limited.
Classic example:
A image-processing service that lets users provide a URL to fetch an image. The server blindly fetches the URL — and the attacker gives the metadata endpoint.
Never assign an IAM role with overly broad permissions. Use fine-grained policies. If an attacker steals credentials for a role that can only read one S3 bucket of test data, damage is limited.