What is IMDSv1?
IMDS stands for Instance Metadata Service. It’s a special HTTP endpoint inside every EC2 instance that allows applications to fetch instance-specific information without needing AWS credentials.
http://169.254.169.254/latest/meta-data/
π How IMDSv1 Works
IMDSv1 is the original version that works with a simple unauthenticated HTTP GET request.
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/
This request can return sensitive information like:
- IAM role name
- Temporary AWS credentials (Access Key, Secret Key, Session Token)
- Instance ID, region, AMI ID, etc.
⚠ Problems with IMDSv1
Since there is no authentication, if an application is vulnerable to Server-Side Request Forgery (SSRF), an attacker could trick it into calling 169.254.169.254 and steal AWS credentials.
This vulnerability has been exploited in real-world breaches such as the Capital One 2019 attack.
✅ What IMDSv1 Exposes and Why It's Risky
Querying the metadata endpoint gives a list of categories:
ami-id
ami-launch-index
ami-manifest-path
block-device-mapping/
hostname
iam/
instance-id
instance-type
local-ipv4
placement/
public-hostname
public-ipv4
security-groups
π΄ Sensitive Section: iam/
This section exposes AWS credentials:
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/
Response: MyAppRole
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/MyAppRole
Sample JSON response:
{
"Code": "Success",
"LastUpdated": "2025-09-05T12:34:56Z",
"Type": "AWS-HMAC",
"AccessKeyId": "ASIAxxxxxxxxxxxx",
"SecretAccessKey": "abcd1234abcd1234abcd1234abcd1234abcd1234",
"Token": "IQoJb3JpZ2luX2VjEJj//////////wEaDmFwLW5vcnRoZWFzdC0xIkgwRgIh...",
"Expiration": "2025-09-05T18:34:56Z"
}
These temporary credentials allow an attacker to access AWS resources.
π Other Metadata Examples
instance-id → i-0abc12345def67890
instance-type → t3.large
local-ipv4 → 10.0.2.15
public-ipv4 → 54.210.xxx.xxx
security-groups → web-sg
placement/availability-zone → us-east-1a
✅ What's the Solution?
IMDSv2 is a more secure version that requires a session token obtained via an HTTP PUT request before accessing metadata.
TOKEN=$(curl -X PUT "http://169.254.169.254/latest/api/token" \
-H "X-aws-ec2-metadata-token-ttl-seconds: 60")
curl -H "X-aws-ec2-metadata-token: $TOKEN" \
http://169.254.169.254/latest/meta-data/
This prevents SSRF attacks because attackers cannot make blind GET requests without the token.
HttpTokens=required to enforce token-based authentication.
π Summary
- IMDSv1: Legacy, insecure, unauthenticated GET requests.
- IMDSv2: Requires token-based authentication, preventing blind SSRF attacks.
- Always disable IMDSv1 and use IMDSv2 for improved security.
No comments:
Post a Comment