EC2 overview and attacks


  • Instance Metadata Service (IMDS)

  • Runs on every EC2 instance by default but can be disabled

  • IMDSv2 should be used when enabled (more secure)

  • Retrieves user-data or meta-data e.g. user-data may contain hard-coded secrets, and meta-data has details on the instance itself like IP, hostname, Instance Profile creds, etc.

  • Available on the following URIs:

    • IPv4

    • IPv6 http://[fd00:ec2::254]/latest/meta-data/

Get User-Data

  • aws ec2 describe-instance-attribute --instance-id "instanceId" --attribute userData

  • - Simple bash script leveraging the aws cli, enumerates all ec2 instances, and returns decoded user-data

Get Instance Profile Credentials

  • If the instance has an IAM role attached to it, find it here,<IamRoleName>

  • Similarly, another path exists meta-data/identity-credentials/ec2/security-credentials/ec2-instance⁠ but this is used for AWS Services like SSM or EC2 Instance Connect. These are not valid credentials that can be used in API calls.

Last updated