Request-url-http-3a-2f-2f169.254.169.254-2flatest-2fmeta Data-2fiam-2fsecurity Credentials-2f Jun 2026

Note: Disabling IMDS breaks tools like AWS CLI, SDKs, and the EC2 launch scripts that rely on metadata. Test thoroughly.

If userUrl is http://169.254.169.254/latest/meta-data/iam/security-credentials/MyRole , the server will fetch and leak the credentials.

The URL http://169.254.169.254/latest/meta-data/iam/security-credentials/ is a "smoking gun" indicator of cloud exploitation. It serves no legitimate purpose in an application's input field. Its presence in server logs, WAF logs, or application inputs suggests an active reconnaissance or exploitation phase of an SSRF attack.

Unlike IMDSv1, which uses a simple GET request, IMDSv2 requires a PUT request to establish a session, followed by a GET request with a token header. Attackers cannot easily perform a PUT request via simple SSRF. You can force IMDSv2 via the CLI: Note: Disabling IMDS breaks tools like AWS CLI,

* 169.254. 169.254 is an IP address used by cloud service providers, such as AWS, Azure, and Google Cloud, to provide metadata abo... Security Compass

The URL http://169.254.169.254/latest/meta-data/iam/security-credentials/ is a link-local address accessible only from within an EC2 instance.

The requested URL is a critical endpoint within the used by EC2 instances to retrieve temporary security credentials. The presence of this specific string—often seen in logs or security alerts—frequently indicates an attempt to exploit a Server-Side Request Forgery (SSRF) vulnerability. What is this Endpoint? The URL http://169

(if not needed)

"Code": "Success", "Type": "AWS-HMAC", "AccessKeyId": "ASIA...", "SecretAccessKey": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY", "Token": "FQoGZXIvYXdzE...[very long string]", "Expiration": "2025-12-15T00:00:00Z"

Imagine a web application with a feature that fetches a profile picture from a user-supplied URL or previews a webpage: https://example.com Unlike IMDSv1, which uses a simple GET request,

The URL http://169.254.169 is an AWS Instance Metadata Service endpoint utilized to retrieve temporary security credentials, a common target for Server-Side Request Forgery (SSRF) attacks. Instance Metadata Service Version 2 (IMDSv2) enhances security by implementing session-oriented authentication, mandatory headers, and configurable hop limits to mitigate unauthorized access.

An SSRF vulnerability occurs when an application takes user-supplied input and uses it to make a request on the backend. If an application allows a user to define a URL that the server fetches (e.g., a "fetch thumbnail" feature), an attacker can supply http://169.254.169... instead of a public image URL. The Attack Chain

This article offers a comprehensive exploration of the 169.254.169.254 endpoint, focusing on the specific path /latest/meta-data/iam/security-credentials/ . We will examine what it is, why it is a target, how attackers exploit it, and, most importantly, how you can defend against it.