1 minute read

What is IMDS?

Instance Metadata Service (IMDS) is a ‘magical’ service in cloud environments. The service can be used by cloud (compute) instances by issuing HTTP requests to the IP address 169.254.169.254.

Using this service, instances can gather information such as hostname, networking and user-data.

NOTE IMDSv1 is unauthenticated by default. Because the service is only reachable from the instance itself, no authentication is required. All data is available via HTTP GET requests.

Exploiting IMDS

Scenario:

  • Compute instance (e.g EC2 or Lambda) with default configurations (IMDSv1 enabled)
  • IAM Role attached to the instance (aka Instance Role)
  • Some code execution or SSRF vulnerability in the EC2 instance

If an attacker gets permissions to issue commands or requests from the instance, it is possible to retrieve data from the IMDS.

For example by issuing the following HTTP request, the name of the attached IAM role is shown:

curl http://169.254.169.254/latest/meta-data/iam/security-credentials

To get the AWS access keys and token, issue the following command:

curl http://169.254.169.254/latest/meta-data/iam/security-credentials/[name of role]

Then use these credentials in your favorite terminal to connect to AWS.

Remediation

  • Disable IMDS for instances that do not use/need it
  • Use IMDSv2 by requiring an authentication token in stead of using the default optional setting.