Fetch-url-http-3a-2f-2f169.254.169.254-2flatest-2fmeta Data-2fiam-2fsecurity Credentials-2f May 2026

The IP address 169.254.169.254 hosts the AWS Instance Metadata Service (IMDS), a critical endpoint for retrieving IAM security credentials from EC2 instances. Exploiting this path, specifically through Server-Side Request Forgery (SSRF), allows unauthorized access to temporary credentials and risks full infrastructure compromise. To mitigate these risks, it is recommended to adopt IMDSv2, which introduces token-based authentication to prevent SSRF vulnerabilities. Read the full guide on securing your infrastructure at

/meta-data: This path segment indicates that the request is for metadata. The IP address 169

AWS has introduced several layers of defense to prevent metadata theft. If you are managing EC2 instances, these three steps are essential: 1. Upgrade to IMDSv2 Instance Startup : An AWS instance is launched,

1. Instance Startup: An AWS instance is launched, potentially with an IAM role attached.
2. Metadata Request: The instance (or software running on it) makes a request to http://169.254.169.254/latest/meta-data/iam/security-credentials/ to fetch its IAM security credentials.
3. Credentials Retrieval: The instance receives a JSON response containing temporary security credentials.
4. Using Credentials: The instance uses these credentials to make secure requests to AWS services.

Example Response

The response from the metadata service might look similar to this: Example Response The response from the metadata service