During a black-box assessment, you exploit a server-side request forgery (SSRF) flaw in a customer-facing web application that runs on Amazon EC2 instances behind a load balancer. By directing the SSRF to 169.254.169.254/latest/meta-data/iam/security-credentials/, you are able to retrieve temporary AWS credentials. Which AWS hardening measure would most effectively block this credential-theft technique even if the SSRF remains unpatched?
Enforce Instance Metadata Service version 2 (IMDSv2) and set the hop limit to 1 on every instance profile.
Attach a Service Control Policy that denies all s3:* actions to the AWS account root user.
Enable AWS Shield Advanced protection on the application's VPC subnets.
Disable public IPv4 addresses for the EC2 instances so the metadata service is unreachable from the Internet.
The AWS Instance Metadata Service version 2 (IMDSv2) requires every caller to obtain and present a session-oriented token retrieved with an HTTP PUT request; the token is valid only from the instance itself and can be further constrained with a hop limit of 1. Disabling IMDSv1 or enforcing IMDSv2 therefore prevents external SSRF payloads from directly querying the metadata endpoint. Merely removing public IPs, enabling AWS Shield Advanced, or denying specific S3 actions does not stop an attacker who has already induced the backend to make internal HTTP calls on their behalf, so those options do not mitigate this vector.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is SSRF?
Open an interactive chat with Bash
What is AWS Instance Metadata Service (IMDS)?
Open an interactive chat with Bash
What does 'hop limit' mean in IMDSv2?
Open an interactive chat with Bash
What is the AWS Instance Metadata Service (IMDS)?
Open an interactive chat with Bash
How does enforcing IMDSv2 mitigate SSRF attacks?
Open an interactive chat with Bash
What is a hop limit in the context of IMDSv2?
Open an interactive chat with Bash
Certified Ethical Hacker (CEH)
Cloud Computing
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .