curl http://169.254.169.254/latest/api/token
Requires a two-step process—token generation followed by authenticated request.
The session token cannot be retrieved from outside the instance. It stays tightly locked locally, meaning an attacker cannot request a token from their own machine and use it to attack the server remotely. Common Uses for Instance Metadata curl-url-http-3A-2F-2F169.254.169.254-2Flatest-2Fapi-2Ftoken
169.254.169.254 is a link-local IP address designed specifically for cloud environments (AWS, Azure, GCP). It is only accessible from within the running instance itself. It cannot be routed over the internet or accessed by other instances. It acts as a local repository for instance-specific data like: Instance ID IAM Security Credentials Network interfaces Security groups
: This is a link-local IP address used by major cloud providers—most notably AWS—to host the Instance Metadata Service (IMDS). It is only accessible from within the running cloud instance itself. curl http://169
If an attacker achieves Remote Code Execution (RCE) but the application layer blocks outward PUT headers, access to cloud control planes is severely limited.
The IP address 169.254.169.254 is a link-local address utilized by major cloud providers, most notably AWS. It hosts the Instance Metadata Service (IMDS). Common Uses for Instance Metadata 169
: This environment variable stores the resulting string token so it can be reused in subsequent metadata queries. Step 2: Using the Token to Fetch Data
: Set HttpTokens to required on all EC2 instances.
curl -X PUT "http://169.254.169" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600" Use code with caution.
169.254.169.254 is a special IP address used by cloud providers (AWS, GCP, Azure, etc.) to serve instance metadata. The specific path /latest/api/token is part of (Instance Metadata Service Version 2), introduced by AWS to protect against SSRF (Server-Side Request Forgery) attacks.