# EC2 ## Overview * Provides on-deman virtual compute resources *** ## Capabilities ### IMDS * Instance Metadata Service (IMDS) * Runs on every EC2 instance by default but [can be disabled](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-IMDS-new-instances.html#configure-IMDS-new-instances--turn-off-instance-metadata) * [IMDSv2](https://aws.amazon.com/blogs/security/defense-in-depth-open-firewalls-reverse-proxies-ssrf-vulnerabilities-ec2-instance-metadata-service/) should be used when enabled (more secure) * Retrieves [user-data or meta-data](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html) e.g. user-data may contain hard-coded secrets, and meta-data has details on the instance itself like IP, hostname, Instance Profile creds, etc. * Available on the following URIs: * IPv4 `http://169.254.169.254/latest/meta-data/` * IPv6 `http://[fd00:ec2::254]/latest/meta-data/` #### Get User-Data * `aws ec2 describe-instance-attribute --instance-id "instanceId" --attribute userData` * [EC2userDataDumper.sh](https://github.com/cloudbreach/CloudBreach_AWSScripts/blob/master/EC2userDataDumper.sh) - Simple bash script leveraging the aws cli, enumerates all ec2 instances, and returns decoded user-data #### Get Instance Profile Credentials * If the instance has an IAM role attached to it, find it here, `http://169.254.169.254/latest/meta-data/iam/security-credentials/` * Similarly, another path exists `meta-data/identity-credentials/ec2/security-credentials/ec2-instance⁠` but this is used for AWS Services like SSM or EC2 Instance Connect. These are not valid credentials that can be used in API calls. *** ## Offensive Security Tactics & Techniques ### Privilege Escalation {% embed url="" %} {% embed url="" %}