: This is a link-local IP address used by AWS, Azure, and Google Cloud to provide metadata about the virtual machine.
role = requests.get( "http://169.254.169.254/latest/meta-data/iam/security-credentials/", headers="X-aws-ec2-metadata-token": token ).text.strip()
The URL string is the internal API endpoint for the AWS Instance Metadata Service (IMDSv1), which allows applications on an EC2 instance to dynamically retrieve temporary IAM security credentials. While essential for seamless cloud authentication, this specific endpoint represents one of the most critical attack vectors in cloud security. If an application suffers from a Server-Side Request Forgery (SSRF) vulnerability, an external attacker can manipulate the server to fetch this URL, steal the temporary AWS keys, and potentially compromise the entire cloud infrastructure. What is the 169.254.169.254 Endpoint?
The IP address 169.254.169.254 is a link-local address used by cloud providers like AWS, Google Cloud Platform (GCP), and Microsoft Azure to host their Instance Metadata Services. : This is a link-local IP address used
This URL is used in cloud environments, particularly on Amazon Web Services (AWS), to fetch temporary security credentials for an IAM role attached to an EC2 instance.
– Best practices for assigning least-privilege instance roles, rotating credentials, and using workload identity federation instead of static or metadata-fetched keys.
And receive a JSON response like:
Once enforced, any curl without the token will receive a 401 - Unauthorized response.
2 Answers. Sorted by: 28. 169.254 is within the link-local address space: https://en.wikipedia.org/wiki/Link-local_address. It's u... Stack Overflow
is a link-local address used by the AWS Instance Metadata Service (IMDS) to provide temporary IAM credentials to EC2 instances. Attackers exploit this endpoint via Server-Side Request Forgery (SSRF) to steal sensitive security credentials, particularly when using the legacy, unprotected IMDSv1. To mitigate these risks, organizations should enforce IMDSv2, which requires session-oriented authentication to secure instance metadata. Read the full guide on defending against this threat at AWS Retrieving Security Credentials from Instance Metadata If an application suffers from a Server-Side Request
💡 : To protect your AWS instances, enforce IMDSv2 and set the "Metadata response hop limit" to 1.
The IP address 169.254.169.254 is a link-local address used by cloud providers, most notably AWS, to host the Instance Metadata Service (IMDS).
aws ec2 modify-instance-metadata-options --http-endpoint disabled This URL is used in cloud environments, particularly