curl -H "X-aws-ec2-metadata-token: YOUR_TOKEN_HERE" http://169.254.169.254/latest/meta-data/instance-id
http://169.254.169[role-name] Public/Private IP Addresses: http://169.254.169
metadata_get() local path="$1" local token=$(get_token) curl -s -H "X-aws-ec2-metadata-token: $token" "http://169.254.169.254/latest/$path" curl-url-http-3A-2F-2F169.254.169.254-2Flatest-2Fapi-2Ftoken
First, send a PUT request to get a token. This token will act as a temporary credential to access metadata.
If disabled, you can enable it via the AWS Console, CLI, or CloudFormation (requires instance stop/start if not using MetadataOptions at launch). The specific keyword curl-url-http-3A-2F-2F169
The specific keyword curl-url-http-3A-2F-2F169.254.169.254-2Flatest-2Fapi-2Ftoken represents the modern era of cloud attacks.
# Get the token TOKEN=`curl -X PUT "http://169.254.169" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600"` # Use the token to get instance identity curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169 Use code with caution. Copied to clipboard You can enforce IMDSv2 globally using AWS Organizations
: Disable IMDSv1 across your AWS environment. You can enforce IMDSv2 globally using AWS Organizations Service Control Policies (SCPs) or per instance using the AWS CLI:
The keyword curl-url-http-3A-2F-2F169.254.169.254-2Flatest-2Fapi-2Ftoken is more than a technical curiosity. It is a and a blue team alarm bell .