IMDSv2 successfully neutralizes several common attack vectors through unique architectural constraints. 1. SSRF Mitigation
Let’s break down the obfuscation. The string curl-url-http-3A-2F-2F169.254.169.254-2Flatest-2Fapi-2Ftoken is a command.
The response will include a token that can then be used to access other metadata. For example, once you have the token, you can use it like this:
If disabled, you can enable it via the AWS Console, CLI, or CloudFormation (requires instance stop/start if not using MetadataOptions at launch).
If you see this keyword in your network traffic or code repositories, immediate action is required. Here is how to secure your infrastructure. curl-url-http-3A-2F-2F169.254.169.254-2Flatest-2Fapi-2Ftoken
This mechanism fundamentally changes the security model from a "open-by-default" to an "opt-in verification" model. A standard curl request to retrieve the token resembles the following:
This endpoint allows an application or user inside a cloud instance (like AWS EC2) to securely request a session token.
curl http://169.254.169.254/latest/api/token
You could request:
Now you can request any metadata endpoint by adding the header:
This breaks many SSRF attacks because most SSRF vectors only allow GET (not PUT ) and cannot set arbitrary headers.
: Make a GET request to the desired metadata endpoint, passing the acquired token in the HTTP header. How the Token Request Works
curl -X PUT "http://169.254.169.254/latest/api/token" -H "Content-Type: application/json" The string curl-url-http-3A-2F-2F169
While convenient, this architecture posed a massive security risk. If a web application running on the server had an open SSRF vulnerability, an external attacker could trick the application into fetching the metadata—including administrative IAM credentials—and exposing them over the internet. IMDSv2 (The Secure Method)
Historically, IMDSv1 worked with simple queries:
aws ec2 modify-instance-metadata-options \ --instance-id i-12345 \ --http-tokens required \ --http-endpoint enabled