Sign In
- Platform
- Solutions
- Modern NDR
- Resources
- Company
Platform
Modern NDR
Resources
Platform
Modern NDR
Resources
DETECTION OVERVIEW
Risk Factors
An attacker needs to identify a vulnerable EC2 instance and then successfully exploit the instance to gain access to the IMDS. A successful exploit enables the attacker to retrieve IAM role credentials that could enable access to S3 buckets or other lateral movement across the network.
Kill Chain
Risk Score
84
%2520Proxy-LT.png&w=1080&q=75)
An Amazon Elastic Compute Cloud (EC2) instance is a virtual machine that you can configure in the AWS cloud. Every EC2 instance has its own set of metadata that contains information such as the hostname, user data, and the security groups associated with the instance. All of this information can be accessed through the Instance Metadata Service (IMDS), which can only be accessed locally from the instance at the link-local address 169.254.169.254. If an EC2 instance is not configured properly, or an attacker exploits a server-side request forgery vulnerability (SSRF), the attacker can manipulate the EC2 instance into acting as a proxy for communication with IMDS. If an attacker can communicate with IMDS, they can query for security information about the instance, which could expose credentials for the Identity and Access Management (IAM) roles attached to the instance.
Configure web application access controls to block unauthorized access to the IMDS API
Update to EC2 IMDSv2 to enable enhanced authentication and reduce the number of vulnerabilities that can be exploited
