IMDS Credential Theft
highCredential Access
An attacker with access to an EC2 instance can retrieve temporary IAM credentials from the Instance Metadata Service (IMDS).
Description
The EC2 Instance Metadata Service (IMDS) provides temporary credentials for the instance's IAM role at http://169.254.169.254/latest/meta-data/iam/security-credentials/.
If an attacker gains access to an EC2 instance (via SSH, SSM, or application-level exploit), they can query IMDS to retrieve the instance role's temporary access key, secret key, and session token.
With IMDSv1, a simple HTTP GET request is sufficient. IMDSv2 requires a PUT request to get a session token first, which mitigates SSRF attacks but not direct instance access.
The retrieved credentials can be used from anywhere — not just from the instance itself — until they expire (typically after 6 hours, with automatic rotation).
Impact
Access to all permissions of the instance's IAM role. Credentials can be exfiltrated and used externally.
Detection
Monitor for unusual API calls from EC2 instance role credentials, especially from IP addresses outside your VPC. Enable IMDSv2 and monitor for IMDSv1 usage.
Mitigation
Enforce IMDSv2 with hop limit 1. Apply least privilege to instance roles. Use VPC endpoints to reduce the need for broad network permissions. Monitor for credential use outside expected patterns.