/latest/meta-data/ is part of the path used to access metadata about the instance.
The address 169.254.169.254 is a . This is a special, non-routable IP address range ( ) that is not accessible from the public internet.
"Code" : "Success", "LastUpdated" : "2025-05-28T10:00:00Z", "Type" : "AWS-HMAC", "AccessKeyId" : "ASIA...", "SecretAccessKey" : "wJalrXUtnFEMI/K7MDENG/bPxRfiCY...", "Token" : "IQoJb3JpZ2luX2VjEHwaCXVzLW...", "Expiration" : "2025-05-28T16:00:00Z"
http://169.254.169.254/latest/meta-data/iam/security-credentials/ /latest/meta-data/ is part of the path used to
While our keyword is specific to AWS’s IMDSv1 (the /latest/ path), all major cloud providers have similar endpoints:
: This is a link-local address used by the AWS Instance Metadata Service (IMDS) to allow instances to access information about themselves.
If the EC2 instance has an IAM role attached, a GET request to that URL lists all available role names. Appending a role name, e.g., /security-credentials/MyRole , returns a JSON document containing: The URL we provided is used to retrieve
When an AWS instance is launched, it can access its own metadata using the metadata service endpoint. The URL we provided is used to retrieve temporary security credentials for the instance. These credentials are used to authenticate and authorize the instance to access other AWS resources.
Example in Python using socket :
💡 : To protect your AWS instances, enforce IMDSv2 and set the "Metadata response hop limit" to 1. By default in IMDSv1
Because the request comes from inside the instance, it bypasses external firewalls and WAFs.
import socket from urllib.parse import urlparse
What Does This String Mean? The string fetch-url-http-3A-2F-2F169.254.169.254-2Flatest-2Fmeta data-2Fiam-2Fsecurity credentials-2F represents a URL-encoded attempt to exploit a cloud infrastructure vulnerability.
By default in IMDSv1, any process running on the instance can query this server without a password or API key.