Between March 13 and 25, 2025, a surge in malicious activity was detected by F5 Labs. Threat actors systematically probed websites hosted on EC2, exploiting SSRF vulnerabilities to access the EC2 metadata endpoint. The attackers rotated between 6 query parameters and 4 metadata subpaths in a highly automated fashion, indicating a single, sophisticated actor leveraging IMDSv1 to compromise EC2 instances.
: This indicates that the instance should return the latest version of the metadata available.
Set the HttpTokens option to required and set the HttpPutResponseHopLimit to 1 . This prevents the metadata from being accessible to containers or proxies that might be running on the instance, as the metadata request cannot pass through more than one network hop. 3. Implement Principle of Least Privilege
Rather than hard-coding permanent access keys onto the server (which is a major security risk), AWS provides the IMDS. This is a service running on every EC2 instance accessible only from within the instance itself. It provides information about the instance, such as its ID, IP address, and crucially, the IAM role attached to it. Between March 13 and 25, 2025, a surge
callback-url-http-3A-2F-2F169.254.169.254-2Flatest-2Fmeta-data-2Fiam-2Fsecurity-credentials-2F
This effectively thwarts simple SSRF attacks because most SSRF vulnerabilities allow an attacker to control the URL, but not the headers of the HTTP request.
aws ec2 modify-instance-metadata-options \ --instance-id i-1234567890abcdef0 \ --http-tokens required \ --http-endpoint enabled \ --http-put-response-hop-limit 1 : This indicates that the instance should return
In modern cloud computing, particularly within Amazon Web Services (AWS) , the ability for an instance to know about itself is crucial. This information is provided through the , which is accessed via the specific IP address .
The Metadata Gate: Understanding SSRF and the AWS 169.254.169.254 Endpoint Introduction
need to write a long article for a specific keyword. The keyword looks like a URL-encoded string: "callback-url-http-3A-2F-2F169.254.169.254-2Flatest-2Fmeta data-2Fiam-2Fsecurity credentials-2F". Decoding: "callback-url-http://169.254.169.254/latest/meta-data/iam/security-credentials/". This appears to be a reference to AWS EC2 instance metadata service (IMDS) endpoint for IAM role credentials. The article likely discusses security implications, specifically SSRF (Server-Side Request Forgery) attacks targeting cloud metadata services. The keyword is meant to be a callback URL that an attacker might inject. "LastUpdated" : "2023-10-01T12:00:00Z"
Attackers often hide this malicious URL in common application parameters that expect a remote link, such as: callback-url redirect_uri 2. Critical Fix: Enforce IMDSv2 The most effective defense is upgrading from IMDSv1 to
"Code" : "Success", "LastUpdated" : "2023-10-01T12:00:00Z", "Type" : "AWS-HMAC", "AccessKeyId" : "ASIAIOSFODNN7EXAMPLE", "SecretAccessKey" : "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY", "Token" : "IQoJb3JpZ2luX2VjELz...", "Expiration" : "2023-10-01T18:00:00Z"
Security researchers at Wiz uncovered a zero-day SSRF vulnerability in the Pandoc document converter. Attackers crafted malicious HTML documents containing <iframe> elements that targeted the AWS IMDS endpoint at 169.254.169.254 . If the document was processed on an EC2 instance running Pandoc, the attacker could render and exfiltrate the IAM credentials.
If successful, the server fetches the internal page and returns the content. The attacker requests http://169.254.169.254/latest/meta-data/iam/security-credentials/ to receive the name of the attached IAM role (e.g., MyAppInstanceRole ).