Cloud & Infrastructure Practical By Samson Tanimawo, PhD Published Dec 31, 2025 4 min read

EC2 Metadata Endpoint Protection

The metadata endpoint can leak credentials via SSRF. The defenses that close it.

The threat

Server-side request forgery (SSRF) lets an attacker make the server fetch arbitrary URLs. The metadata endpoint at 169.254.169.254 is a high-value target: it returns IAM credentials.

Once an attacker has IAM credentials, they have whatever the role permits. In production this often means S3, DynamoDB, RDS, secrets manager.

Real incidents: Capital One (2019), many others. SSRF plus instance metadata is a top-three cloud attack pattern.

IMDSv2 enforcement

IMDSv2 requires a session token. The attacker must first PUT to get a token, then GET with the token. Most SSRF vectors only support GET, blocking the attack.

Account-level setting: require IMDSv2 for all new instances. Existing instances need explicit migration.

Test before enforcement. Some legacy SDKs and tools assume IMDSv1. Update them; or accept they cannot run on enforced instances.

Hop limit configuration

metadata-token-response-hop-limit: 1. Containers cannot reach the metadata endpoint through the host network because the response cannot traverse one hop.

Specifically blocks containerised SSRF. A container cannot impersonate the host to access metadata.

Trade-off: some legitimate use cases need higher hop limits. Pod identity providers (IRSA) work without raising the limit; verify your stack.

Network-layer defence

Pod-level egress policies blocking 169.254.169.254. Belt and braces: even if IMDSv2 fails, the network policy blocks.

VPC security groups deny outbound to instance metadata from non-system pods. Defence in depth.

Detection: log egress attempts to metadata. Spike in attempts is a compromise indicator.

Operating with metadata protection

Standard launch templates enforce IMDSv2 and hop-limit-1. New instances inherit; non-compliant instances are flagged in config rules.

Audit existing fleet quarterly. Any IMDSv1-allowed instances? Migrate or document why.

Inventory which workloads still need legacy IMDSv1. Old SDKs, third-party agents. Each is a project to update or replace.