When an AWS instance makes a request to this URL, it is essentially asking for temporary security credentials that can be used to access AWS resources. These credentials are generated based on the IAM role associated with the instance. The process works as follows:
Using these credentials, the attacker may be able to access S3 buckets, databases, or other AWS services depending on the permissions of the IAM role. When an AWS instance makes a request to
: This is a link-local IP address. It is a non-routable address reserved for communication between a host and itself. AWS reserves this specific IP for the metadata service. Because it is a fixed IP, applications running inside the instance (like the AWS CLI or SDKs) always know exactly where to look for credentials without needing configuration. : This is a link-local IP address
Here's a step-by-step explanation of how the http://169.254.169.254/latest/meta-data/iam/security-credentials/ URL works: Because it is a fixed IP, applications running
: A parameter often used in web applications to tell a server where to send data after a task is finished.
: This updated version requires a session-oriented "token-based" approach. An attacker cannot simply perform a GET request; they must first perform a PUT request to get a token, which most SSRF vulnerabilities cannot do. You can find migration guides on the AWS Documentation page.
in this context most likely refers to a successful security test or a "favorable" finding in a security audit where the vulnerability was confirmed. New Zealand Information Security Manual Breakdown of the Payload callback-url