aws attacks ec2 Stealing EC2 instance credentials through the Instance Metadata Service

Stealing EC2 instance credentials through the Instance Metadata Service

PLATFORM

SERVICE

ec2

DATA BREACHES

known

LAST UPDATED

EXPLOITABILITY Exploitability of a vulnerability measures how easy it is for an attacker to discover and exploit the vulnerability, some might refer to this as likelihood.

IMPACT How impactful to your environment and organization a successful exploitation of this vulnerability is expected to be.

high

medium

About

The EC2 Instance Metadata Service provides important information about the EC2 instance. This includes several categories of information, such as the AMI ID, hostname, associated security groups, and more. Instance metadata is accessible from any application running on an EC2 instance via a link-local address (169.254.169.254).

Understanding Impact

Business Impact

An attacker with access to the metadata service can use credentials for lateral movement, data theft, or more depending on how highly privileged the instance profile is. This could result in financial damages from compliance fines, reputation damage from data leakage, or productivity lost in recovery when all temporary sessions need to be revoked.

Technical Impact

An attacker with access to an EC2 instance or exploiting a Server-Side Request Forgery (SSRF) in an application running on it can steal credentials from the Instance Metadata Service.

This will enable them to authenticate as the instance role and use the credentials outside of the instance.

Detection

GuardDuty findings:

You can also detect when an attacker is directly querying the metadata service from the instance by identifying commands such as curl 169.254.169.254.

Reproduce the attack

You can easily reproduce this attack in a self-contained manner with Stratus Red Team using the following command:

stratus detonate aws.credential-access.ec2-steal-instance-credentials

See also the related documentation.

How Datadog can help

Application Security Management

Datadog Application Security Management detects this attack using the out-of-the-box rule "SSRF vulnerability triggered".

Cloud SIEM

Datadog Cloud SIEM detects this attack using the out-of-the-box rule "Compromised AWS EC2 Instance".

References

Steal EC2 Instance Credentials

stratus-red-team.cloud

IMDSv2

aws documentation

EC2 Instance Metadata SSRF

hackingthe.cloud

Privilege Escalation in EKS Leveraging the IMDS

blog.christophetd.fr

Technical Analysis of the Capital One Cloud Misconfiguration Breach

web.archive.org

Cloud Metadata Abuse by UNC2903

mandiant.com

Datadog ASM | SSRF Rule

datadog documentation

Did you find this article helpful?

Related Vulnerabilities and Threats

vulnerabilities May'24

EC2 instance without IMDSv2 enforced

work with us

We're always looking for talented people to collaborate with

featured positions

We have 10 positions

view all