Server-side request forgery (SSRF) via IMDSv1 metadata endpoint in AWS EC2

High Risk infrastructure-security

What it is

SSRF could expose instance metadata and IAM role credentials, enabling privilege escalation, lateral movement, and unauthorized AWS API access.

Why it happens

EC2 instances created without explicit metadata options default to allowing IMDSv1, which doesn't require session tokens.

Root causes

Default IMDSv1 Behavior

EC2 instances created without explicit metadata options default to allowing IMDSv1, which doesn't require session tokens.

Legacy Application Compatibility

Maintaining IMDSv1 support for older applications or AWS SDKs that don't support IMDSv2 token flow.

Lack of SSRF Awareness

Not understanding that SSRF vulnerabilities in applications can exploit IMDSv1 to steal IAM credentials from the metadata service.

Fixes

1

Enforce IMDSv2 with Required Tokens

Set http_tokens to 'required' in metadata_options to enforce IMDSv2 session token authentication.

2

Set Hop Limit Appropriately

Use http_put_response_hop_limit of 1 for direct access or 2 for containerized workloads like EKS.

3

Disable Metadata Service if Unused

If the instance doesn't need metadata or IAM role credentials, disable IMDS entirely by setting http_endpoint to 'disabled'.

Detect This Vulnerability in Your Code

Sourcery automatically identifies server-side request forgery (ssrf) via imdsv1 metadata endpoint in aws ec2 and many other security issues in your codebase.

Scan Your Code for Free Explore More Vulnerabilities