curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169 Use code with caution. Security Benefits of IMDSv2
Enforce IMDSv2 using AWS Identity and Access Management (IAM) policies. The following policy condition blocks EC2 instances from launching if they allow IMDSv1:
TOKEN=$(curl -X PUT "http://169.254.169.254/latest/api/token" \ -H "X-aws-ec2-metadata-token-ttl-seconds: 21600")
Modern firewalls and applications often strip out or block unrecognized custom headers. By requiring specific headers for both token creation and token usage, AWS leverages existing network defenses to block unauthorized access attempts. Migration and Enforcement Best Practices
Open reverse proxies, misconfigured web application firewalls (WAFs), and SSRF flaws in web code usually cannot forge custom headers or execute PUT requests, stopping attackers in their tracks. curl-url-http-3A-2F-2F169.254.169.254-2Flatest-2Fapi-2Ftoken
The IP address is a link-local address used by cloud providers, most notably AWS, to host the Instance Metadata Service (IMDS).
This mechanism fundamentally changes the security model from a "open-by-default" to an "opt-in verification" model. A standard curl request to retrieve the token resembles the following:
The metadata service answers these questions. However, the most critical endpoint is /latest/api/token .
Configure your security tools to alert on unexpected or high-frequency requests targeting 169.254.169.254 , especially if they originate from user-facing applications. curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169
The ability to access and manipulate data via curl and the metadata service has several practical applications:
The IP address 169.254.169.254 is a link-local address used by AWS. It is only accessible from within the EC2 instance itself. It acts as a specialized web server that provides information about the instance, such as IAM roles, security groups, public keys, and AMI IDs. 2. Breaking Down the curl Command
The IP address 169.254.169.254 is a link-local address used by all major cloud providers, primarily AWS, for their metadata services. It is not routable over the public internet. Instead, instances running in a Virtual Private Cloud (VPC) use it to communicate directly with the hypervisor.
# Step 1: Generate the token and store it in a variable TOKEN=$(curl -X PUT "http://169.254.169" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600") # Step 2: Use the token to securely access instance metadata curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169 Use code with caution. By requiring specific headers for both token creation
Set the metadata HTTP token hop limit to 1 for containerized environments. This prevents containers running inside a pod or docker environment from reaching the host instance's metadata service.
So, the decoded meaning is effectively:
To get a token, your application must issue an HTTP PUT request to the /latest/api/token endpoint. This request must also include a custom header defining how long the token should remain valid, in seconds. Here is the standard curl command to acquire the token:
While IMDSv2 secures the transport layer, a significant gap remains in containerized environments (e.g., Docker, Kubernetes). The IMDS service operates at the node level.
curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600" Use code with caution. 1. What is 169.254.169.254 ?