We earn commission when you buy through affiliate links.
This does not influence our reviews or recommendations.Learn more.
This article will teach you about EC2 metadata and why it is important.
You will also learn how to disable metadata to protect yourself from attacks like SSRF.
By using Amazon EC2, you may develop and deploy apps more quickly without making an upfront hardware investment.
Depending on your needs, launch as many or as few virtual servers.
Set up networking and security options and control storage using Amazon EC2.
Instance metadata categories include hostname, events, and security groups.
Additionally, you could dive into the user data you specified when launching your instance using instance metadata.
You may include a short script or specify parameters while configuring your instance.
Using user data, it’s possible for you to create generic AMIs and alter the launch-time configuration files.
AWS urges you to use IMDSv2, which is the preferred method.
Use the following IPv4 or IPv6 URIs to view all types of instance metadata from a running instance.
To view instance metadata, you’re free to only use the link-local address of169.254.169.254.
Requests to the metadata via the URI are free, so there are no additional charges from AWS.
Need of Disabling Metadata
In AWS setups, theSSRFattack is frequent and well-known to everyone.
The possibility of an enemy stealing IAM credentials via SSRF would significantly decrease with IMDSv2.
The metadata service is accessible to the majority of EC2 Instances at169.254.169.254.
This contains beneficial information about the instance, such as its IP address, security group name, etc.
We can steal those credentials depending on the version of IMDS in use and the capabilities of the SSRF.
It is also worth considering that an adversary with shell access to the EC2 instance could obtain these credentials.
In this example, a web server runs on the EC2 instances port 80.
This web server has a simple SSRF vulnerability, which allows us to send GET requests to any address.
This can be used to send a request tohttp://169.254.169.254.
you might reverse this change at any time by enabling the HTTP endpoint.
Use the modify-instance-metadata-options CLI command and set the http-endpoint parameter to disabled to disable metadata for your instance.
