This specific path returns the name of the IAM role assigned to the instance. A follow-up request to .../security-credentials/[role-name] would return the AccessKeyId , SecretAccessKey , and Token .
CB-20240424-001 Severity: Critical Vector: Server-Side Request Forgery (SSRF) / Configuration Leak
Amazon GuardDuty can detect unauthorized access to the metadata service, such as suspicious GetSessionToken calls or unusual credential usage, notifying you of potential compromises.
: The IAM role determines what AWS resources the instance can access. By fetching credentials for the role attached to the instance, applications running on the instance can make secure, authorized requests to AWS services.
To mitigate this risk, AWS introduced .
Follow the principle of least privilege.
callback-url=http://169.254.169.254/latest/meta-data/iam/security-credentials/
The string you see above is URL‑encoded. Let’s decode it piece by piece:
This string appears to be a that was:
Using these credentials, the attacker may be able to access S3 buckets, databases, or other AWS services depending on the permissions of the IAM role.
Now, let's dissect the callback URL: http://169.254.169.254/latest/meta-data/iam/security-credentials/ .
The string callback-url-http-3A-2F-2F169.254.169.254-2Flatest-2Fmeta data-2Fiam-2Fsecurity credentials-2F is a URL-encoded payload. When decoded, it points to: http://169.254.169
The attack typically targets applications that accept user-provided URLs for features like image uploads, link previews, or webhooks. Abusing the AWS metadata service using SSRF vulnerabilities This specific path returns the name of the
If you see a log entry containing callback-url-http-3A-2F-2F169.254.169.254-2Flatest-2Fmeta data-2Fiam-2Fsecurity credentials-2F or its decoded form:
– Navigates to the folder housing the configuration data for the running instance.
Here is an informative article detailing what this endpoint is, how it works, and its critical implications for cloud security.
This number is a special IP address. Cloud providers like Amazon Web Services (AWS) use it. It is called the Instance Metadata Service (IMDS). : The IAM role determines what AWS resources