EC2
EC2 overview and attacks
Last updated
Was this helpful?
EC2 overview and attacks
Last updated
Was this helpful?
Instance Metadata Service (IMDS)
Runs on every EC2 instance by default but
should be used when enabled (more secure)
Retrieves e.g. user-data may contain hard-coded secrets, and meta-data has details on the instance itself like IP, hostname, Instance Profile creds, etc.
Available on the following URIs:
IPv4 http://169.254.169.254/latest/meta-data/
IPv6 http://[fd00:ec2::254]/latest/meta-data/
aws ec2 describe-instance-attribute --instance-id "instanceId" --attribute userData
- Simple bash script leveraging the aws cli, enumerates all ec2 instances, and returns decoded user-data
If the instance has an IAM role attached to it, find it here, http://169.254.169.254/latest/meta-data/iam/security-credentials/<IamRoleName>
Similarly, another path exists meta-data/identity-credentials/ec2/security-credentials/ec2-instance but this is used for AWS Services like SSM or EC2 Instance Connect. These are not valid credentials that can be used in API calls.