search
youtubelinkedingithub

EC2

EC2 overview and attacks

hashtag
Overview

  • Provides on-deman virtual compute resources

hashtag
Capabilities

hashtag
IMDS

  • Instance Metadata Service (IMDS)

  • Runs on every EC2 instance by default but can be disabledarrow-up-right

  • IMDSv2arrow-up-right should be used when enabled (more secure)

  • Retrieves user-data or meta-dataarrow-up-right e.g. user-data may contain hard-coded secrets, and meta-data has details on the instance itself like IP, hostname, Instance Profile creds, etc.

  • Available on the following URIs:

    • IPv4 http://169.254.169.254/latest/meta-data/

    • IPv6 http://[fd00:ec2::254]/latest/meta-data/

hashtag
Get User-Data

  • aws ec2 describe-instance-attribute --instance-id "instanceId" --attribute userData

  • EC2userDataDumper.sharrow-up-right - Simple bash script leveraging the aws cli, enumerates all ec2 instances, and returns decoded user-data

hashtag
Get Instance Profile Credentials

  • If the instance has an IAM role attached to it, find it here, http://169.254.169.254/latest/meta-data/iam/security-credentials/<IamRoleName>

  • Similarly, another path exists meta-data/identity-credentials/ec2/security-credentials/ec2-instance⁠ but this is used for AWS Services like SSM or EC2 Instance Connect. These are not valid credentials that can be used in API calls.

hashtag
Offensive Security Tactics & Techniques

hashtag
Privilege Escalation

LogoEC2 | Tech with Tylerwww.techwithtyler.devchevron-right
LogoServer Side Request Forgery (SSRF) | Tech with Tylerwww.techwithtyler.devchevron-right
PreviousComputeNextContainers

Last updated