AWS Logo
Menu

IMDSv1 Credential Access

Gain EC2 Metadata Credentials via SSRF

Published Dec 11, 2024

What is IMDSv1?

IMDSv1 (Instance Metadata Service version 1) is an earlier version of the Instance Metadata Service (IMDS) provided by AWS. IMDS is used by EC2 instances to access metadata about themselves, such as instance ID, security credentials, and security groups.

How IMDSv1 Works?

IMDSv1 uses a simple HTTP interface to provide instance metadata. EC2 instances access metadata by sending HTTP requests to an IP address shown below.

Server-side request forgery (SSRF) and the IMDSv1

Attackers can use server-side request forgery (SSRF) technique to steal IAM credentials from instance metadata. SSRF is a web application vulnerability that allows an adversary to manipulate a web application into making requests to a remote service. In this context, an attacker could exploit a web application running on an EC2 instance to request IAM credentials from the instance metadata and gain credentials.

MITRE ATTACK

Tactics: Credential Access
Technique: Unsecured Credentials

Retrieving IAM Credentials from an EC2 Instance using IMDSv1

To demonstrate this, the example below shows a web server running on port 80 running on an EC2 instance. This web server has a simple SSRF vulnerability, allowing us to make requests to http://169.254.169.254.
Vulnerable parameter passing through URL of IMDS
Vulnerable parameter passing through URL of IMDS
There is a role attached to the EC2 Instance, and a request to http://169.254.169.254/latest/meta-data/iam/security-credentials/ can be made. This will return the name of the IAM role attached to the EC2 Instance with its associated credentials. In the example below we can see that the role name is ec2-cloudwatch.
Valid IAM Role attached to EC2 Instance
Valid IAM Role attached to EC2 Instance

To retrieve the credentials, we can append the role name to the previous query. The request below responds back with valid credentials that can be used in the AWS CLI to authenticate API requests.
Retrieve credentials

IMDSv1 Credential Access Mitigations

  • Require IMDSv2
  • Use principle of lease privilege on EC2 Instance Profile
  • Use the aws:EC2InstanceSourceVPC or aws:EC2InstanceSourcePrivateIPv4 global conditions. Using these conditions with Service Control Policies (SCP's) ensures that IAM credentials to an EC2 instance can only be used from that specific instance. Below is an example policy using aws:EC2InstanceSourceVPC
 

Comments