Originally, cloud metadata services were simple and dangerous.
169.254.169.254 is a special IP address used by cloud providers (AWS, GCP, Azure, etc.) to serve instance metadata. The specific path /latest/api/token is part of IMDSv2 (Instance Metadata Service Version 2), introduced by AWS to protect against SSRF (Server-Side Request Forgery) attacks.
CloudTrail logs do not capture metadata service calls. Instead, use: curl-url-http-3A-2F-2F169.254.169.254-2Flatest-2Fapi-2Ftoken
169.254.0.0/16 is the link-local address range (IPv4). These addresses are not routable on the internet — they are designed for communication within a single network segment.
Cloud providers reserve 169.254.169.254 for their instance metadata service. From inside a virtual machine (EC2 instance in AWS, Compute Engine VM in GCP, Virtual Machine in Azure), you can query this IP to get information about the instance itself without needing any external credentials. Then they export the keys and assume the
Once an attacker has command execution on a VM (via a vulnerability like Log4Shell), they run:
TOKEN=$(curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600")
curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/iam/security-credentials/
Then they export the keys and assume the IAM role from their own machine. In AWS IMDSv2 (the latest version), the workflow is:
169.254.169.254 is a link-local IP address used by major cloud providers (AWS, Google Cloud, Azure, and others) to serve instance metadata. This metadata includes:
In AWS IMDSv2 (the latest version), the workflow is:
However, the simplified command in your keyword:
curl http://169.254.169.254/latest/api/token — only fetches the token, not the credentials themselves. Still, in a real attack, once the attacker has this token, they can use it to fetch IAM credentials.
Set --http-put-response-hop-limit 1 so that containers or proxies cannot forward metadata requests.