LinkedIn GitHub YouTube

EC2

EC2 overview and attacks

IMDS

  • Instance Metadata Service (IMDS)

  • Runs on every EC2 instance by default but can be disabled

  • IMDSv2 should be used when enabled (more secure)

  • Retrieves user-data or meta-data e.g. user-data may contain hard-coded secrets, and meta-data has details on the instance itself like IP, hostname, Instance Profile creds, etc.

  • Available on the following URIs:

    • IPv4 http://169.254.169.254/latest/meta-data/

    • IPv6 http://[fd00:ec2::254]/latest/meta-data/

Get User-Data

  • aws ec2 describe-instance-attribute --instance-id "instanceId" --attribute userData

  • EC2userDataDumper.sh - Simple bash script leveraging the aws cli, enumerates all ec2 instances, and returns decoded user-data

Get Instance Profile Credentials

  • If the instance has an IAM role attached to it, find it here, http://169.254.169.254/latest/meta-data/iam/security-credentials/<IamRoleName>

  • Similarly, another path exists meta-data/identity-credentials/ec2/security-credentials/ec2-instance⁠ but this is used for AWS Services like SSM or EC2 Instance Connect. These are not valid credentials that can be used in API calls.

PreviousAWS CLI Cheat SheetNextIAM

Last updated