During a cloud penetration test you exploit an SSRF in a web app running on an EC2 instance. Because the instance still allows IMDSv1, you pull the temporary IAM role credentials and escalate privileges. The developers cannot change the code but still need on-instance metadata access. Which AWS control best blocks this attack path?
Configure the instance to require Instance Metadata Service v2 (IMDSv2) and set the hop limit to 1 so only on-instance calls with a valid session token succeed.
Remove the IAM role from the EC2 instance and deny the sts:AssumeRole action to every principal except administrators.
Disable access to the Instance Metadata Service entirely so the 169.254.169.254 address is unreachable from the instance.
Place the web server in a private subnet that has no direct route to the Internet Gateway.
IMDSv1 accepts unauthenticated HTTP requests to 169.254.169.254, so any SSRF that reaches this address can expose the instance's temporary IAM credentials. Requiring IMDSv2 forces callers to obtain a session token via an HTTP PUT request before each metadata query, and setting the hop limit to 1 prevents the request from leaving the instance's network stack. Together these options stop SSRF-originated metadata calls while preserving legitimate on-instance credential retrieval. Removing the role or disabling IMDS would break needed functionality, and subnet routing changes do not affect traffic that originates inside the instance.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the Instance Metadata Service (IMDS) in AWS?
Open an interactive chat with Bash
How does IMDSv2 improve security over IMDSv1?
Open an interactive chat with Bash
What is SSRF and how does it exploit IMDSv1 in AWS?
Open an interactive chat with Bash
What is SSRF and how does it work?
Open an interactive chat with Bash
What is IMDSv2, and how does it enhance security?
Open an interactive chat with Bash
Why is the hop limit important in IMDSv2 configuration?
Open an interactive chat with Bash
Certified Ethical Hacker (CEH)
Cloud Computing
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .