A penetration tester demonstrates that a vulnerable web application running on an EC2 instance can be exploited with an internal SSRF call to http://169.254.169.254/latest/meta-data/ and retrieve the instance's temporary IAM credentials. Which remediation best mitigates this specific cloud-native threat while still allowing legitimate software on the instance to obtain metadata when required?
Enable TCP SYN cookies on the Elastic Load Balancer fronting the application.
Reconfigure the instance to disable IMDSv1 and require IMDSv2 session tokens for all metadata requests.
Place the EC2 instance in a private subnet that has no route to the internet gateway.
Increase the randomness of the EC2 instance ID and periodically rotate it.
The attack abuses the EC2 Instance Metadata Service (IMDS). By default, IMDSv1 can be queried without authentication, so any process that can reach the link-local address 169.254.169.254 can harvest the temporary security credentials returned. Enforcing IMDSv2 removes this weakness because every request must first acquire a time-limited session token obtained through an HTTP PUT that cannot be made by a simple one-shot SSRF. Completely blocking the metadata IP or moving the instance to a private subnet can break valid use cases, while hardening unrelated network controls (such as SYN cookies) does nothing against metadata theft.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the EC2 Instance Metadata Service (IMDS)?
Open an interactive chat with Bash
How does IMDSv2 mitigate SSRF attacks?
Open an interactive chat with Bash
What are IAM temporary credentials, and why do they need protection?
Open an interactive chat with Bash
What is the EC2 Instance Metadata Service (IMDS)?
Open an interactive chat with Bash
How does IMDSv2 improve security compared to IMDSv1?
Open an interactive chat with Bash
Why can't moving the EC2 instance to a private subnet mitigate the threat?
Open an interactive chat with Bash
Certified Ethical Hacker (CEH)
Cloud Computing
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .