For example, you can use iptables to prevent any process running as the Apache user ( uid-owner apache ) from accessing the IMDS:
The feature allows an EC2 instance to request temporary security credentials for the IAM role(s) associated with it. This enables the instance to use these credentials to make secure requests to AWS services without needing to hard-code or store long-term access keys.
Even if an attacker successfully steals credentials, their impact is limited by the permissions of the compromised IAM role. It is critical to follow the . Do not attach overly permissive policies (like AdministratorAccess or * permissions) to EC2 instance roles. Instead, grant only the specific permissions required for the application to function. This practice, also known as "scoping" the IAM role, ensures that any credential theft will result in minimal damage, as the attacker will have access only to a subset of resources.
, they can impersonate the instance and access any AWS resource the IAM role is permitted to use — often with devastating consequences. For example, you can use iptables to prevent
Use host-based firewalls (iptables, nftables) to restrict access to 169.254.169.254 to only trusted processes, or block it entirely.
The IAM (Identity and Access Management) role assigned to it
The web server processes the request internally, bypasses perimeter defenses, queries the local metadata engine, and forwards the response back to the attacker outside the network. 3. What Happens at the Endpoint? It is critical to follow the
"Code": "Success", "Type": "AWS-HMAC", "AccessKeyId": "ASIA...", "SecretAccessKey": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY", "Token": "FQoGZXIvYXdzE...[very long string]", "Expiration": "2025-12-15T00:00:00Z"
http://169.254.169.254/latest/meta-data/iam/security-credentials/
Here is an in-depth look at what this request does, why it’s a primary target for attackers, and how to protect it. What is 169.254.169.254? This practice, also known as "scoping" the IAM
: By appending /latest/meta-data/iam/security-credentials/ to the metadata service URL, the instance requests its IAM security credentials.
Example: