The IP address 169.254.169.254 is a link-local address used by AWS to host the Instance Metadata Service. This service is accessible only from within the EC2 instance itself. It provides data about the instance, including its network configuration, instance ID, and, most importantly, temporary security credentials associated with the IAM role assigned to that instance. The Anatomy of the Attack
The application can then use these credentials to call AWS APIs (e.g., read from S3, write to DynamoDB, launch new instances).
A web application on the EC2 instance allows user input to define a URL, which the server then fetches (e.g., a "fetch profile picture from URL" feature).
Block requests pointing to internal IP ranges, including private subnets ( 10.0.0.0/8 , 172.16.0.0/12 , 192.168.0.0/16 ) and link-local space ( 169.254.169.254/32 ). 3. Implement Least Privilege IAM Roles
: Since the metadata service uses HTTP (not HTTPS), it's essential that this communication happens within a trusted network (like the EC2 instance's local network). AWS ensures this by only making the metadata service accessible from within the instance.
: The AWS instance can query the metadata service at http://169.254.169.254 for information about itself and its environment.
The specific URL in our focus, request-url-http-3A-2F-2F169.254.169.254-2Flatest-2Fmeta data-2Fiam-2Fsecurity credentials-2F/ , represents a URL-encoded version of the most sensitive endpoint within the IMDS: http://169.254.169.254/latest/meta-data/iam/security-credentials/ . The URL encoding ( http-3A-2F-2F for http:// , -2F for / , and -2Fmeta data-2F for /meta data/ ) is often used by attackers to obfuscate the request or bypass simple pattern-matching security controls in web applications. It is a classic SSRF payload designed to make a server request data from its own metadata service.
The vulnerable server blindly executes the request. Because the request originates from within the EC2 instance, AWS treats it as legitimate and returns the instance's temporary security credentials.
