When an AWS instance makes a request to this URL, it is essentially asking for temporary security credentials that can be used to access AWS resources. These credentials are generated based on the IAM role associated with the instance. The process works as follows:
The callback URL has various use cases:
The specific path /latest/meta-data/iam/security-credentials/[role-name] hosts temporary security credentials (Access Key ID, Secret Access Key, and Token) associated with the IAM role assigned to that EC2 instance.
: By accessing the /latest/meta-data/iam/security-credentials/ path, the instance can request the temporary security credentials associated with its IAM role. When an AWS instance makes a request to
callback-url=http://169.254.169.254/latest/meta-data/iam/security-credentials/ \__________/ \___________/ \___________________________________________/ Parameter Link-Local AWS IMDS Core Endpoint Address
The danger lies in the simplicity of the URL. If an attacker finds a vulnerability—a bug where your application can be forced to make HTTP requests to a URL chosen by the attacker—they can point the application to http://169.254.169.254/latest/meta-data/iam/security-credentials/ . If successful, the attacker can:
For any application that accepts a URL as input, implement strict whitelisting. Only allow requests to trusted domains or IP ranges, and reject any IP address in the private or link-local ranges, including 169.254.169.254 . If successful, the attacker can: For any application
A recent log or configuration review has revealed a plaintext callback URL containing a highly sensitive internal endpoint:
The most infamous exploitation of the metadata service callback URL occurred in the 2019 Capital One data breach. An attacker, a former AWS employee, exploited a SSRF vulnerability in a misconfigured web application firewall (WAF) on a Capital One EC2 instance. By sending a request that forced the server to fetch http://169.254.169.254/latest/meta-data/iam/security-credentials/ , the attacker obtained the credentials of an IAM role with excessive privileges. Those credentials were then used to list and copy data from more than 100 million credit card applications stored in S3 buckets.
The application then uses the URL http://169.254.169.254/latest/meta-data/iam/security-credentials/ to retrieve temporary security credentials (AccessKey, SecretKey, and Token) associated with that role. How to Access Security Credentials long article about this vulnerability
Once the attacker obtains these credentials, they can configure their local AWS CLI with the stolen keys and gain the exact same permissions as the compromised EC2 instance. Remediation and Defense Strategies
– Requests access to the local cloud metadata endpoint.
Understanding the AWS Metadata Service URL: Security and Exploitation (169.254.169.254)
So we need an informative, long article about this vulnerability, how attackers use such URLs, the importance of securing IMDS, best practices like using IMDSv2, and mitigation strategies.
Recommended actions: