The EC2 Instance Metadata Service provides important information about the EC2 instance. This includes several categories of information, such as the AMI ID, hostname, associated security groups, and more. Instance metadata is accessible from any application running on an EC2 instance via a link-local address (169.254.169.254).
An attacker with access to the metadata service can use credentials for lateral movement, data theft, or more depending on how highly privileged the instance profile is. This could result in financial damages from compliance fines, reputation damage from data leakage, or productivity lost in recovery when all temporary sessions need to be revoked.
An attacker with access to an EC2 instance or exploiting a Server-Side Request Forgery (SSRF) in an application running on it can steal credentials from the Instance Metadata Service.
This will enable them to authenticate as the instance role and use the credentials outside of the instance.
You can also detect when an attacker is directly querying the metadata service from the instance by identifying commands such as
Reproduce the attack
You can easily reproduce this attack in a self-contained manner with Stratus Red Team using the following command:
stratus detonate aws.credential-access.ec2-steal-instance-credentials
See also the related documentation.
How Datadog can help
Application Security Management
Datadog Application Security Management detects this attack using the out-of-the-box rule "SSRF vulnerability triggered".
Datadog Cloud SIEM detects this attack using the out-of-the-box rule "Compromised AWS EC2 Instance".
Steal EC2 Instance Credentials
EC2 Instance Metadata SSRF
Privilege Escalation in EKS Leveraging the IMDS
Technical Analysis of the Capital One Cloud Misconfiguration Breach
Cloud Metadata Abuse by UNC2903
Datadog ASM | SSRF Rule