Skip to main content

: You must first perform a PUT request to /latest/api/token to generate a temporary session token.

solves this by requiring a session-oriented authentication process:

: IMDSv2 requires a PUT request to ensure that simple GET-based SSRF vulnerabilities cannot trigger a token generation.

curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169 Use code with caution. Why This Matters for Security

In the past (IMDSv1), metadata was accessible via a simple GET request. While convenient, this was vulnerable to attacks. If an attacker could trick a web application into making a request to that internal IP, they could steal sensitive IAM credentials.

The IP address is a link-local address used by AWS to provide the Instance Metadata Service (IMDS) . Every EC2 instance can query this address to retrieve information about itself—such as its instance ID, public IP, IAM role credentials, and security groups—without needing to call the AWS API externally. The Evolution: From IMDSv1 to IMDSv2

The path http://169.254.169 is the gateway to secure instance management in AWS. If you are building or maintaining cloud infrastructure, ensuring your instances are configured to is a foundational security best practice that prevents credential theft via common web vulnerabilities.

Once you have the $TOKEN , you can access the metadata safely:

: You include that token in the header of all subsequent metadata requests. Breaking Down the Command

TOKEN=$(curl -X PUT "http://169.254.169" \ -H "X-aws-ec2-metadata-token-ttl-seconds: 21600") Use code with caution.

Curl-url-http-3a-2f-2f169.254.169.254-2flatest-2fapi-2ftoken |verified| Access

: You must first perform a PUT request to /latest/api/token to generate a temporary session token.

solves this by requiring a session-oriented authentication process:

: IMDSv2 requires a PUT request to ensure that simple GET-based SSRF vulnerabilities cannot trigger a token generation. curl-url-http-3A-2F-2F169.254.169.254-2Flatest-2Fapi-2Ftoken

curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169 Use code with caution. Why This Matters for Security

In the past (IMDSv1), metadata was accessible via a simple GET request. While convenient, this was vulnerable to attacks. If an attacker could trick a web application into making a request to that internal IP, they could steal sensitive IAM credentials. : You must first perform a PUT request

The IP address is a link-local address used by AWS to provide the Instance Metadata Service (IMDS) . Every EC2 instance can query this address to retrieve information about itself—such as its instance ID, public IP, IAM role credentials, and security groups—without needing to call the AWS API externally. The Evolution: From IMDSv1 to IMDSv2

The path http://169.254.169 is the gateway to secure instance management in AWS. If you are building or maintaining cloud infrastructure, ensuring your instances are configured to is a foundational security best practice that prevents credential theft via common web vulnerabilities. Why This Matters for Security In the past

Once you have the $TOKEN , you can access the metadata safely:

: You include that token in the header of all subsequent metadata requests. Breaking Down the Command

TOKEN=$(curl -X PUT "http://169.254.169" \ -H "X-aws-ec2-metadata-token-ttl-seconds: 21600") Use code with caution.