AWS IMDSv1 Attack
What is AWS IMDSv1 Attack?
AWS IMDSv1 AttackTheft of EC2 instance role credentials by sending unauthenticated GET requests to the legacy IMDSv1 endpoint, typically via SSRF.
AWS Instance Metadata Service version 1 (IMDSv1) responds to any HTTP GET request made from the EC2 instance to http://169.254.169.254, including those forwarded by a vulnerable application via SSRF. Attackers retrieve the path /latest/meta-data/iam/security-credentials/<role>/ to obtain a temporary AccessKeyId, SecretAccessKey, and SessionToken that can be used from anywhere with AWS APIs. IMDSv2 mitigates the attack by requiring a PUT request to fetch a session token, restricting the hop limit, and blocking responses to off-instance callers. Best practice is to enforce IMDSv2 cluster-wide via launch templates and instance defaults, and to monitor IAM CloudTrail for unexpected role usage.
● Examples
- 01
An SSRF in a web app causes curl http://169.254.169.254/latest/meta-data/iam/security-credentials/myrole/ to leak credentials.
- 02
An attacker reuses leaked temporary credentials from an external machine to list S3 buckets.
● Frequently asked questions
What is AWS IMDSv1 Attack?
Theft of EC2 instance role credentials by sending unauthenticated GET requests to the legacy IMDSv1 endpoint, typically via SSRF. It belongs to the Cloud Security category of cybersecurity.
What does AWS IMDSv1 Attack mean?
Theft of EC2 instance role credentials by sending unauthenticated GET requests to the legacy IMDSv1 endpoint, typically via SSRF.
How does AWS IMDSv1 Attack work?
AWS Instance Metadata Service version 1 (IMDSv1) responds to any HTTP GET request made from the EC2 instance to http://169.254.169.254, including those forwarded by a vulnerable application via SSRF. Attackers retrieve the path /latest/meta-data/iam/security-credentials/<role>/ to obtain a temporary AccessKeyId, SecretAccessKey, and SessionToken that can be used from anywhere with AWS APIs. IMDSv2 mitigates the attack by requiring a PUT request to fetch a session token, restricting the hop limit, and blocking responses to off-instance callers. Best practice is to enforce IMDSv2 cluster-wide via launch templates and instance defaults, and to monitor IAM CloudTrail for unexpected role usage.
How do you defend against AWS IMDSv1 Attack?
Defences for AWS IMDSv1 Attack typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for AWS IMDSv1 Attack?
Common alternative names include: IMDSv1 credential theft, EC2 metadata attack.
● Related terms
- cloud-security№ 187
Cloud Metadata SSRF
A server-side request forgery attack that abuses a vulnerable application to query a cloud provider's instance metadata service and steal temporary credentials.
- cloud-security№ 190
Cloud Token Theft
Stealing OAuth, SAML, or signing tokens from a cloud identity service and replaying them to impersonate users or services without needing passwords.
- cloud-security№ 505
IAM Privilege Escalation
Abusing existing cloud IAM permissions to gain higher privileges, often via policy editing, role passing, or self-granting administrative rights.
- cloud-security№ 186
Cloud Key Leak
Accidental exposure of long-lived cloud access keys in public repositories, container images, logs, or client-side code, often abused within minutes.
- cloud-security№ 183
Cloud Data Exfiltration
The unauthorized copy or transfer of data out of a cloud account, often via object storage APIs, snapshots, replication, or attacker-controlled accounts.