If your EC2 instance has an IAM role attached, you can safely extract the temporary Access Key, Secret Key, and Session Token:
Set the metadata HTTP token hop limit to 1 for containerized environments. This prevents containers running inside a pod or docker environment from reaching the host instance's metadata service.
TOKEN=$(curl -X PUT "http://169.254.169.254/latest/api/token" -H "Content-Type: text/plain") curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/instance-id curl-url-http-3A-2F-2F169.254.169.254-2Flatest-2Fapi-2Ftoken
The server makes a request from its internal IP to the metadata service, retrieves the token, and potentially returns it in an error message or redirect.
With these three strings, an attacker can impersonate your EC2 instance from anywhere in the world. If your EC2 instance has an IAM role
SSRF occurs when an application fetches a remote resource without validating the URL. Attackers point the application to 169.254.169.254 . Under IMDSv1, the application blindly returns credentials. Under IMDSv2, the request fails because the application cannot perform the initial PUT request or pass the required headers. Transitioning to IMDSv2 Organizations should disable IMDSv1 globally. Update old SDKs and software libraries. Modify AWS launch templates to require IMDSv2. Use AWS Systems Manager to audit legacy instances. Mitigation via IAM Policies
Once you have stored the token inside the $TOKEN environment variable, you use it as a HTTP header named X-aws-ec2-metadata-token to retrieve the actual instance configuration data. Example 1: Fetching the Instance ID With these three strings, an attacker can impersonate
For high‑frequency queries, cache the token and refresh when it expires:
IMDSv2 tokens use an IP hop limit (TTL) of 1 by default. This ensures that the token cannot travel outside the EC2 instance if it accidentally passes through a container network bridge or misconfigured local proxy. Best Practices for AWS Administrators
In IMDSv1, accessing metadata was a simple HTTP GET request: curl http://169.254.169
To maintain a secure cloud environment, adhere to the following best practices:
