Curl-url-http-3a-2f-2f169.254.169.254-2flatest-2fapi-2ftoken

curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169 Use code with caution. Security Benefits of IMDSv2

First, request a token using PUT :

Let’s break down the obfuscation. The string curl-url-http-3A-2F-2F169.254.169.254-2Flatest-2Fapi-2Ftoken is a command.

This command is the gateway to securing Amazon Web Services (AWS) EC2 instances using the Instance Metadata Service Version 2 (IMDSv2). It allows an application or administrator to request a session token, which acts as a protective layer against Server-Side Request Forgery (SSRF) vulnerabilities. What is 169.254.169.254?

echo "Instance ID: $INSTANCE_ID"

Enforce IMDSv2 using AWS Identity and Access Management (IAM) policies. The following policy condition blocks EC2 instances from launching if they allow IMDSv1:

To understand why the /latest/api/token endpoint exists, it is vital to contrast the two versions of the AWS metadata service. IMDSv1 (Insecure by Default)

Beyond IMDSv2, you can further protect the metadata service:

: A mandatory header defining how long the token remains valid (in this case, 6 hours). curl-url-http-3A-2F-2F169.254.169.254-2Flatest-2Fapi-2Ftoken

# Get the token TOKEN=$(curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600") Use code with caution. -X PUT : Defines this as a PUT request, not a GET request.

If the application is vulnerable and IMDSv1 is disabled, the attacker must find a way to make a PUT request and read the token header to escalate privileges. Best Practices for Cloud Professionals

If disabled, you can enable it via the AWS Console, CLI, or CloudFormation (requires instance stop/start if not using MetadataOptions at launch).

In 2019, Capital One suffered a massive data breach where an attacker exploited a SSRF vulnerability to access a server's metadata. In the older IMDSv1, a single GET request could yield sensitive IAM role credentials. AWS responded by introducing , which requires a "session-oriented" approach: Step 1 : Use a PUT request to generate a temporary token. curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169

Once the token is securely stored in your shell variable $TOKEN , you can proceed to retrieve any metadata. You must pass the token in a custom header called X-aws-ec2-metadata-token .

While AWS supports both versions for backwards compatibility, leaving IMDSv1 enabled leaves a window of vulnerability open. Security teams should actively enforce IMDSv2 across their cloud infrastructure. How to Enforce IMDSv2 via AWS CLI

curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169 Use code with caution. Security Benefits of IMDSv2

Curl-url-http-3a-2f-2f169.254.169.254-2flatest-2fapi-2ftoken

Sign up for Newsletter

Services & Social Media

Join Our Social Media

Please Support US. Thank You