Security

The Truth Behind EC2 Metadata at 169.254.169.254 - Link-Local Addresses and IMDSv2 Design

Learn why the EC2 Instance Metadata Service endpoint 169.254.169.254 is a link-local address, the history of SSRF exploitation, and how IMDSv2's token-based authentication came to be.

約 6 分で読めます

Where Is 169.254.169.254?

When you access http://169.254.169.254/latest/meta-data/ from inside an EC2 instance, it returns metadata about the instance, including the instance ID, AMI ID, IAM role temporary credentials, and network configuration. The address 169.254.169.254 is not a server on the internet but a local service provided by the Nitro System hypervisor. 169.254.0.0/16 is a link-local address range defined in RFC 3927 that is never forwarded beyond routers. This means requests to this address never leave the instance; the hypervisor responds directly. This design makes the metadata service immune to network failures and independent of VPC routing configuration. The metadata service is accessible from the moment an instance launches, even before network configuration completes. This reliability is why cloud-init first retrieves user data and network configuration from the metadata service when performing initial instance setup.

The Capital One Incident - The Day Metadata Was Leaked via SSRF

In July 2019, a breach at Capital One (a major US bank) exposed the personal information of approximately 100 million people. The attacker exploited an SSRF (Server-Side Request Forgery) vulnerability in Capital One's web application to retrieve IAM role temporary credentials from the EC2 instance metadata service. SSRF is an attack that forces a server-side application to make requests to arbitrary URLs. The attacker had the web application send a request to http://169.254.169.254/latest/meta-data/iam/security-credentials/role-name, obtaining the IAM role's access key, secret key, and session token. Using these credentials, the attacker accessed S3 buckets and downloaded massive amounts of personal data. This incident exposed a fundamental design weakness in IMDSv1 (Instance Metadata Service Version 1). IMDSv1 returns metadata in response to simple HTTP GET requests, making it easily accessible through SSRF attacks.

IMDSv2 - Defense Through Token-Based Authentication

In response to the Capital One incident, AWS released IMDSv2 (Instance Metadata Service Version 2) in November 2019. IMDSv2 is a token-based authentication mechanism that requires a session token to access metadata. To retrieve metadata with IMDSv2, you must first obtain a session token via a PUT request, then include that token in an HTTP header when sending the GET request. This two-step authentication prevents SSRF attacks because most SSRF vulnerabilities can only execute GET requests. SSRF vulnerabilities capable of executing PUT requests are rare, and the additional complexity of extracting a token from the response header and including it in the next request makes exploitation extremely difficult. Furthermore, IMDSv2 token retrieval requests require the X-aws-ec2-metadata-token-ttl-seconds header, and IP-forwarded requests (which set TTL to 1, preventing them from crossing network hops) are also blocked. Since 2024, AWS has changed the default for new instances to IMDSv2 only and strongly recommends disabling IMDSv1.

The Full Picture of Information Available via Metadata

The metadata service provides a wide range of information: basic instance information (instance-id, instance-type, ami-id, hostname), network information (local-ipv4, public-ipv4, mac, network/interfaces), IAM role temporary credentials (iam/security-credentials/role-name), user data (user-data), and block device mapping (block-device-mapping), among others. The most critical piece is the IAM role temporary credentials. When an IAM role is attached to an EC2 instance, temporary access keys, secret keys, and session tokens become available through the metadata service. AWS SDKs use this mechanism internally and automatically, so developers never need to hardcode access keys in their code. Temporary credentials are automatically rotated with a typical validity period of 6 hours. The metadata service also includes instance user data. User data consists of scripts or data specified at instance launch time, used by cloud-init for initial configuration. Including passwords or secrets in user data is dangerous because anyone can read them through the metadata service.

Hardening the Metadata Service

Beyond enabling IMDSv2, there are several ways to further secure the metadata service. First, set HttpPutResponseHopLimit to 1. This blocks metadata access from within containers. If applications running in ECS or Docker containers do not need metadata service access, setting the hop limit to 1 prevents SSRF attacks from containers. Second, disable the metadata service entirely. Setting HttpEndpoint to disabled completely blocks access to the metadata service. For instances that do not need IAM role credentials (those using fixed credentials), disabling the metadata service is the safest option. Third, minimize IAM role permissions. Even if credentials leak from the metadata service, limiting the role's permissions contains the damage. In the Capital One incident, the leaked role had broad access permissions to S3 buckets, which amplified the damage. For a systematic approach to EC2 security design, specialized books (Amazon) are a helpful reference.

Related Services

Amazon EC2A compute service that provides virtual servers in the cloudAWS IAMAn authentication and authorization service for securely managing access to AWS resources

Related Articles

The Hidden Structure of AWS Account IDs' 12 Digits - Why 12 Digits, and What Can You Infer?A trivia-style exploration of why AWS account IDs are 12-digit numbers, the design intent embedded in the ARN structure, and the security considerations around what can be inferred from an account ID.IAM Policy Evaluation Logic Explained - How Implicit Deny Loses to Explicit AllowA step-by-step explanation of how IAM evaluates requests to allow or deny them, covering the priority of implicit deny, explicit allow, and explicit deny, as well as intersection logic for SCPs, permission boundaries, and session policies.How to Choose Amazon EC2 Instances - Optimizing Instance Families and Purchase OptionsUnderstand the characteristics of instance families and the performance advantages of Graviton processors, along with guidelines for choosing between On-Demand, Reserved, and Spot purchase options.

More on This Topic

Detecting Excessive Permissions with IAM Access Analyzer - External Access and Unused Permission AnalysisDetect unused permissions on IAM roles using CloudTrail-based analysis and auto-generate least-privilege policies. This guide covers external access detection and integrating custom policy checks into your CI/CD pipeline.Automating SSL/TLS Certificate Management with AWS Certificate Manager - From Issuance to RotationLearn how ACM handles free public certificate issuance, DNS validation, automatic renewal, and deployment to ALB and CloudFront.Retrieving Compliance Reports with AWS Artifact - Audit Response and Agreement ManagementLearn how to retrieve SOC, PCI DSS, and ISO audit reports on demand and apply BAA and GDPR DPA agreements across your entire AWS Organizations structure.Automating Audits - Continuously Collecting Compliance Evidence with AWS Audit ManagerLearn how to automate audit evidence collection with AWS Audit Manager. This guide covers automated assessments based on frameworks such as SOC 2, PCI DSS, and GDPR, centralized evidence management, and audit report generation.The Hidden Structure of AWS Account IDs' 12 Digits - Why 12 Digits, and What Can You Infer?A trivia-style exploration of why AWS account IDs are 12-digit numbers, the design intent embedded in the ARN structure, and the security considerations around what can be inferred from an account ID.Why the AWS Account Root User Is Dangerous - The Design Philosophy of Privilege Separation and Practical LockdownWe explain why the AWS root user holds privileges that cannot be restricted by IAM, list the operations only the root user can perform, cover MFA setup methods, and describe the lockdown strategy using Organizations' centralized root access management.Certificate Management and HTTPS - Automated TLS Certificate Operations with AWS Certificate ManagerLearn about TLS/SSL certificate issuance, automatic renewal, and deployment using AWS Certificate Manager (ACM). Covers integration with CloudFront, ALB, and API Gateway, DNS validation, and Private CA usage.Dedicated Key Management with AWS CloudHSM - FIPS 140-2 Level 3 Compliant EncryptionAchieve FIPS 140-2 Level 3 compliant key management with dedicated HSM instances. Learn when to choose CloudHSM over KMS and how to integrate both through KMS custom key stores.

Similar Articles and Services

The Hidden Structure of AWS Account IDs' 12 Digits - Why 12 Digits, and What Can You Infer?A trivia-style exploration of why AWS account IDs are 12-digit numbers, the design intent embedded in the ARN structure, and the security considerations around what can be inferred from an account ID.AWS IAMAn authentication and authorization service for securely controlling access to AWS resources, providing fine-grained access management through users, groups, roles, and policiesWhy S3 Request Pricing Differs Between GET and PUT - The Economics of Storage I/OThis article explains why S3 GET requests cost one-tenth of PUT requests by examining the internal costs of writes, erasure coding, and consistency guarantees, along with practical techniques for optimizing request charges.Designing Identity and Access Management - Achieving Zero Trust Security with IAMLearn access management design techniques with AWS IAM, including the principle of least privilege, policy design, and achieving zero trust security through Cognito integration.Amazon CognitoA fully managed service that adds user authentication and authorization to web and mobile applications, with support for social login and SAML federation