Once an attacker has command execution on a VM (via a vulnerability like Log4Shell), they run:
TOKEN=$(curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600")
curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/iam/security-credentials/
Then they export the keys and assume the IAM role from their own machine.
The primary motivation for IMDSv2 was the mitigation of Server-Side Request Forgery (SSRF).
The IMDSv1 Vulnerability:
In v1, a vulnerable web application could be tricked into visiting http://169.254.169.254/latest/meta-data/iam/security-credentials/. The metadata service would return sensitive credentials in the HTTP response body, which the attacker could then capture.
The IMDSv2 Defense:
The IMDSv2 token endpoint requires the HTTP method PUT. This is a critical security feature. Most SSRF vulnerabilities in web applications exploit GET requests (e.g., fetching a URL provided by a user). curl-url-http-3A-2F-2F169.254.169.254-2Flatest-2Fapi-2Ftoken
This multi-step complexity significantly raises the bar for exploitation, effectively neutralizing simple SSRF vectors.
Cloud infrastructure relies heavily on metadata services to provide running instances with identity credentials, user data, and network configuration. In Amazon Web Services (AWS), this is handled by the Instance Metadata Service (IMDS), accessible via the link-local IP address 169.254.169.254.
Historically (IMDSv1), this service was a simple HTTP endpoint. While convenient, it exposed a significant attack surface. If an attacker could trigger an instance to make an HTTP request to that IP (via SSRF), they could steal IAM credentials. To mitigate this, AWS introduced IMDSv2, which requires a session token. The keyword curl-url-http-3A-2F-2F169.254.169.254-2Flatest-2Fapi-2Ftoken represents the URL-encoded path to this critical token retrieval endpoint.
Use secret scanning tools (TruffleHog, Gitleaks) to find patterns like 169\.254\.169\.254 in repositories. Once an attacker has command execution on a
Detect any curl or wget to 169.254.169.254 via CloudTrail (Data Events) or runtime security agents (Falco, Cilium, GuardDuty).
The string uses %3A for colon (:), %2F for forward slash (/). So:
Final decoded command:
curl http://169.254.169.254/latest/api/token
This is an AWS IMDSv2 (Instance Metadata Service Version 2) command. It requests a session token from the instance metadata service. Then they export the keys and assume the
Add rules to block requests containing:
If this string appears in:
…then an attacker who finds it can reconstruct the command and attempt to run it against any target server they control — or worse, if they have network access to your cloud environment, they can run it against your instance metadata service.