These credentials are the keys to the kingdom. An attacker who successfully exfiltrates them can use them to authenticate to AWS APIs with the same permissions as the EC2 instance's IAM role. This can allow them to access S3 buckets, launch or terminate instances, create backdoors, and perform a wide range of malicious actions, effectively granting them control over the AWS environment.
Never give an EC2 instance more permissions than it absolutely needs. If a server is compromised, "Least Privilege" limits the damage an attacker can do with the stolen tokens.
, they can impersonate the instance and access any AWS resource the IAM role is permitted to use — often with devastating consequences. These credentials are the keys to the kingdom
Log all outgoing HTTP requests to 169.254.169.254 . Alert when unexpected processes (e.g., a web server UID) make such calls.
This specific URL is the gateway to AWS Instance Metadata Service (IMDS), a feature that provides configuration data to EC2 instances. While incredibly useful for developers, it is also one of the most targeted endpoints by hackers looking to compromise cloud environments. Never give an EC2 instance more permissions than
The URL http://169.254.169 points to the . This is an internal-only HTTP endpoint accessible from within an EC2 instance that provides information about the instance itself.
Only allow requests to a pre-approved list of domains. Log all outgoing HTTP requests to 169
This specific endpoint is used to retrieve temporary for the IAM role assigned to an EC2 instance.