During a web application assessment you discover a server-side request forgery flaw that lets you issue HTTP requests from an Amazon EC2 instance. Your first probe to http://169.254.169.254/latest/meta-data/iam/security-credentials/ is answered with HTTP/1.1 401 Unauthorized and the response header X-Aws-Ec2-Metadata-Token-Required: true. Which hardening measure on the instance is blocking your attempt to steal temporary AWS credentials?
The EC2 instance profile has been restricted to read-only S3 access, preventing exposure of credentials.
The instance's IAM role has been detached, eliminating any credentials to return from the metadata service.
A VPC endpoint policy is denying access to the EC2 service from the instance subnet.
Instance Metadata Service Version 2 (IMDSv2) has been enforced, so a session token must be obtained before metadata can be retrieved.
With Instance Metadata Service Version 2 (IMDSv2), the metadata endpoint will not return any information unless the caller first sends an HTTP PUT request to /latest/api/token that includes the header X-aws-ec2-metadata-token-ttl-seconds. The service then issues a short-lived session token that must be supplied in an X-aws-ec2-metadata-token header on subsequent metadata queries. If a request is made without that token, the service answers 401 Unauthorized and sets the header X-Aws-Ec2-Metadata-Token-Required: true. Enforcing IMDSv2 therefore thwarts straightforward SSRF attempts to harvest the temporary AWS credentials stored in the metadata service. Detaching the IAM role would break legitimate software on the instance, VPC endpoint policies do not guard the link-local metadata IP, and changing the instance profile's permissions does not stop access to whatever credentials do exist.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Instance Metadata Service Version 2 (IMDSv2)?
Open an interactive chat with Bash
How does enforcing IMDSv2 secure EC2 instances against SSRF attacks?
Open an interactive chat with Bash
What happens if an IAM role is detached from an EC2 instance?
Open an interactive chat with Bash
What is Instance Metadata Service Version 2 (IMDSv2)?
Open an interactive chat with Bash
Why does IMDSv2 improve security against SSRF attacks?
Open an interactive chat with Bash
How is the session token obtained and used in IMDSv2?
Open an interactive chat with Bash
Certified Ethical Hacker (CEH)
Cloud Computing
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .