Links

EC2

EC2 overview and attacks

IMDS

  • Instance Metadata Service (IMDS)
  • Runs on every EC2 instance by default but can be disabled
  • IMDSv2 should be used when enabled (more secure)
  • Retrieves user-data or meta-data e.g. user-data may contain hard-coded secrets, and meta-data has details on the instance itself like IP, hostname, Instance Profile creds, etc.
  • Available on the following URIs:
    • IPv4 http://169.254.169.254/latest/meta-data/
    • IPv6 http://[fd00:ec2::254]/latest/meta-data/

Get User-Data

  • aws ec2 describe-instance-attribute --instance-id "instanceId" --attribute userData
  • EC2userDataDumper.sh - Simple bash script leveraging the aws cli, enumerates all ec2 instances, and returns decoded user-data

Get Instance Profile Credentials

  • If the instance has an IAM role attached to it, find it here, http://169.254.169.254/latest/meta-data/iam/security-credentials/<IamRoleName>
Last modified 1mo ago