Stealing EC2 instance credentials through the Instance Metadata Service







EXPLOITABILITY Exploitability of a vulnerability measures how easy it is for an attacker to discover and exploit the vulnerability, some might refer to this as likelihood.

IMPACT How impactful to your environment and organization a successful exploitation of this vulnerability is expected to be.




The EC2 Instance Metadata Service provides important information about the EC2 instance. This includes several categories of information, such as the AMI ID, hostname, associated security groups, and more. Instance metadata is accessible from any application running on an EC2 instance via a link-local address (

Understanding Impact

Business Impact

An attacker with access to the metadata service can use credentials for lateral movement, data theft, or more depending on how highly privileged the instance profile is. This could result in financial damages from compliance fines, reputation damage from data leakage, or productivity lost in recovery when all temporary sessions need to be revoked.

Technical Impact

An attacker with access to an EC2 instance or exploiting a Server-Side Request Forgery (SSRF) in an application running on it can steal credentials from the Instance Metadata Service.

This will enable them to authenticate as the instance role and use the credentials outside of the instance.


GuardDuty findings:

You can also detect when an attacker is directly querying the metadata service from the instance by identifying commands such as curl

Reproduce the attack

You can easily reproduce this attack in a self-contained manner with Stratus Red Team using the following command:

stratus detonate aws.credential-access.ec2-steal-instance-credentials

See also the related documentation.

How Datadog can help

Application Security Management

Datadog Application Security Management detects this attack using the out-of-the-box rule "SSRF vulnerability triggered".

Cloud SIEM

Datadog Cloud SIEM detects this attack using the out-of-the-box rule "Compromised AWS EC2 Instance".


Steal EC2 Instance Credentials


aws documentation

EC2 Instance Metadata SSRF

Privilege Escalation in EKS Leveraging the IMDS

Technical Analysis of the Capital One Cloud Misconfiguration Breach

Cloud Metadata Abuse by UNC2903

Datadog ASM | SSRF Rule

datadog documentation

Did you find this article helpful?

Related Vulnerabilities and Threats