IMDSv1 Credential Access
Gain EC2 Metadata Credentials via SSRF
Published Dec 11, 2024
IMDSv1 (Instance Metadata Service version 1) is an earlier version of the Instance Metadata Service (IMDS) provided by AWS. IMDS is used by EC2 instances to access metadata about themselves, such as instance ID, security credentials, and security groups.
IMDSv1 uses a simple HTTP interface to provide instance metadata. EC2 instances access metadata by sending HTTP requests to an IP address shown below.
Attackers can use server-side request forgery (SSRF) technique to steal IAM credentials from instance metadata. SSRF is a web application vulnerability that allows an adversary to manipulate a web application into making requests to a remote service. In this context, an attacker could exploit a web application running on an EC2 instance to request IAM credentials from the instance metadata and gain credentials.
Tactics: Credential Access
Technique: Unsecured Credentials
To demonstrate this, the example below shows a web server running on port 80 running on an EC2 instance. This web server has a simple SSRF vulnerability, allowing us to make requests to
http://169.254.169.254
.There is a role attached to the EC2 Instance, and a request to
http://169.254.169.254/latest/meta-data/iam/security-credentials/
can be made. This will return the name of the IAM role attached to the EC2 Instance with its associated credentials. In the example below we can see that the role name is ec2-cloudwatch
.To retrieve the credentials, we can append the role name to the previous query. The request below responds back with valid credentials that can be used in the AWS CLI to authenticate API requests.
- Require IMDSv2
- Use principle of lease privilege on EC2 Instance Profile
- Use the
aws:EC2InstanceSourceVPC
oraws:EC2InstanceSourcePrivateIPv4
global conditions. Using these conditions with Service Control Policies (SCP's) ensures that IAM credentials to an EC2 instance can only be used from that specific instance. Below is an example policy usingaws:EC2InstanceSourceVPC