To prevent this request URL from resulting in a breach, organizations must implement defense-in-depth strategies.
Never assign an IAM role with overly broad permissions. Use fine-grained policies. If an attacker steals credentials for a role that can only read one S3 bucket of test data, damage is limited. To prevent this request URL from resulting in
Even if credentials are leaked, the damage can be contained. Why it helps: SSRF via http:// GET request
IMDSv2 adds session-oriented requests and a required PUT header (X-aws-ec2-metadata-token). This blocks many SSRF attacks because simple GET requests are ignored. To prevent this request URL from resulting in
Example:
TOKEN=$(curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600")
curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/iam/security-credentials/
Why it helps: SSRF via http:// GET request cannot retrieve the token first.
If a server-side script executes shell commands that include user input, an attacker might inject:
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/