Once upon a time in the vast cloud of Amazon Web Services (AWS) , there lived a humble EC2 instance i-0abc12345
In the past (IMDSv1), metadata was accessible via a simple GET request. While convenient, this was vulnerable to Server-Side Request Forgery (SSRF) attacks. If an attacker could trick a web application into making a request to that internal IP, they could steal sensitive IAM credentials. curl-url-http-3A-2F-2F169.254.169.254-2Flatest-2Fapi-2Ftoken
from an AWS EC2 instance. This is a security measure designed to prevent SSRF (Server-Side Request Forgery) attacks. Once upon a time in the vast cloud
curl -X PUT: To get the token, you must use a PUT request, which is a key security upgrade from the older version (IMDSv1) that only required simple GET requests. Why Is This Command Important? Medium·Gerald Nguyen from an AWS EC2 instance
curl http://169.254.169.254/latest/api/token command is essential for initiating a session with the Amazon Web Services (AWS) Instance Metadata Service Version 2 (IMDSv2), providing enhanced security against SSRF attacks. By issuing an HTTP PUT request to this endpoint, instances generate a short-lived, secure token required to access sensitive metadata and IAM credentials, replacing the vulnerable IMDSv1 standard. Read more about this security upgrade on the
While the command curl http://169.254.169.254/latest/api/token may appear benign, its presence in logs or source code should trigger a security review. It indicates an attempt to interact with the cloud metadata service — either as part of legitimate bootstrapping (e.g., user-data scripts, fetching temporary credentials) or as a reconnaissance/probing technique by an attacker.