The metadata endpoint at 169.254.169.254 is the most important IP address in cloud computing. It serves credentials, user-data, instance identity, and configuration to workloads. It’s reachable from inside the instance (intended) and sometimes from outside (unintended — SSRF). Combined, metadata endpoints turned SSRF from “inconvenience” into “cloud account compromise.”

Why this happens

Cloud instances need credentials to access other services (S3, databases, queues). Managing credentials manually is painful. Cloud providers solved it via instance metadata: instance asks “what’s my role?” — metadata endpoint responds with temporary credentials. Elegant for legitimate use.

The endpoint is at a link-local address (169.254.x.x) — reachable only from within the instance. Workload code fetches http://169.254.169.254/... to get its credentials.

The catastrophe: if the workload has SSRF, the attacker can reach the metadata endpoint through the workload. Temporary credentials for the instance’s role leak out. If the role is broad, cloud compromise follows.

IMDSv1 vs IMDSv2 (AWS)

# IMDSv1 (legacy): simple GET
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/
# Returns role name
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/MY-ROLE
# Returns temporary AWS credentials

# IMDSv2: requires token-based auth
TOKEN=$(curl -X PUT http://169.254.169.254/latest/api/token \
    -H "X-aws-ec2-metadata-token-ttl-seconds: 21600")
curl -H "X-aws-ec2-metadata-token: $TOKEN" \
    http://169.254.169.254/latest/meta-data/iam/security-credentials/

# IMDSv2 = SSRF mostly breaks because PUT needed first
# Modern EC2 instances default to IMDSv2-required
# But legacy + misconfigured = IMDSv1 still common

Capital One 2019 — the canonical case

SSRF in Capital One’s AWS-hosted web application reached IMDSv1. Attacker (a former AWS employee) exfiltrated temporary credentials for the WAF role. The role had over-broad S3 permissions. Attacker listed and downloaded ~100 million credit applications. ~$190M settlement + regulatory penalty.

Chain: SSRF → IMDSv1 → credentials → S3 permissions → data exfil. Each step was a configuration failure on Capital One’s side.

🔐 Intermediate Module · Basic Tier

Continue reading with Basic tier (₹499/month)

You've read 30% of this module. Unlock the remaining deep-dive, quiz, and every other Intermediate module.

99+ modulesAll levels up to this tier

20-question quizzesUnlimited retries with explanations

Completion certificatesShareable on LinkedIn

See pricing → Sign in

4 more sections locked below

Module 3 · Metadata Endpoints — Still the Killer Chain 🔒

Why this happens

IMDSv1 vs IMDSv2 (AWS)

Capital One 2019 — the canonical case

Continue reading with Basic tier (₹499/month)

Other modules in this track

Module 6 · Serverless — New Surface, Not Smaller Surface <span style="color:#6EC1E4;font-size:0.7em;vertical-align:middle;" title="Academy lesson — sign in for full access">🔒</span>

Module 4 · Cross-Account Trust Attacks <span style="color:#6EC1E4;font-size:0.7em;vertical-align:middle;" title="Academy lesson — sign in for full access">🔒</span>

Module 9 · Cloud Detection — Different Telemetry, Different Rules <span style="color:#6EC1E4;font-size:0.7em;vertical-align:middle;" title="Academy lesson — sign in for full access">🔒</span>