A development team built a cloud-based deployment with an internal endpoint that was not restricted. A malicious actor queried that endpoint to collect short-lived access tokens and then leveraged them to reach additional cloud services. Which technique enabled the attacker to obtain those tokens?
Redirecting name resolution with a malicious DNS resolver
Fetching ephemeral credentials from the instance metadata service
Attempting brute-force attacks against user accounts
Searching a public code repository for embedded secrets
Gathering ephemeral credentials directly from the instance metadata service is the correct answer because most cloud providers expose temporary role-based credentials or OAuth tokens through a link-local endpoint (for example, 169.254.169.254). If this endpoint is reachable, an attacker can retrieve those short-lived credentials and reuse them against other cloud APIs. Brute-forcing user passwords targets permanent accounts, DNS manipulation changes name resolution but does not yield access keys, and scanning a public repository for secrets requires a separate source-code exposure. Therefore, harvesting credentials from the metadata service best explains how the attacker obtained the tokens.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are ephemeral credentials?
Open an interactive chat with Bash
How can an attacker access ephemeral credentials?
Open an interactive chat with Bash
How can cloud environments protect against unauthorized access to ephemeral credentials?