Why is it crucial to protect AWS EC2 Metadata Endpoint?
One powerful feature of AWS is that EC2 can interact with other services, such as DynamoDB, S3, etc., depending on the use case. EC2 server uses a token service to send authentication tokens to a service. That service, in turn, grants EC2 access. The tokens that EC2 uses are stored in the EC2 metadata endpoint.
Unfortunately, this is also one of the most abused aspects of EC2 because these tokens are injected into the EC2 metadata endpoint. This metadata endpoint is like an internally addressable webserver with the metadata for that instance. This metadata contains valuable info, such as what user data was injected to initialize that server. It also includes the IAM security credentials, token information, and the IAM role that the server uses to access other AWS services.
Attackers often go after these tokens. They perform RCE to access EC2 and get to the tokens in the metadata endpoint. They then use these stolen tokens to access various AWS services. Attackers also use server-side request forgery (SSRF) and some URL manipulation to get to the metadata, which is often at 169.254.169.254, the metadata endpoint, and steal the tokens.
This is why it is essential to protect the privileges that the EC2 has and stick to the least privileges. For example, this attack was used in a major financial institution breach, resulting in over $500 million fine. First, the attacker could access an EC2 instance and use SSRF to access the metadata endpoint and steal the tokens. Then the attacker realized that the tokens gave them access to many S3 buckets with sensitive data.
IMDSv1 Vs. IMDSv2
IMDSv2:
Instead of directly accessing the metadata service with a single HTTP GET request (as in IMDSv1), IMDSv2 makes it more complex to access the metadata. For example, with IMDSv2, you need to
1. PUT Request with X-aws-ec2-metadata-token-ttl-seconds Header. This gives you a token that lasts for the number of seconds you put in this HTTP header. The max value of a token is 21600 seconds.
2. AWS metadata services on EC2 return a Token ( To keep things simple, I’ll call it Token3.) to the script or App
3. Your script then makes a GET request with Token3 in the header to metadata service to request access to AWS services such as S3 buckets.
The process described above has made it challenging for attackers to carry out an SSRF attack. In addition, this attack heavily relies on a GET request, which is now harder to execute.
