curl -s -X PUT http://169.254.169.254/latest/api/token -H "X-aws-ec2-metadata-token-ttl-seconds: 3600" && echo "IMDSv2 enabled" || echo "IMDSv2 disabled or unreachable"
This article decodes every segment of that string, explains why it is the "holy grail" for attackers, and provides a comprehensive guide on how to protect your cloud infrastructure from metadata service abuse.
Beyond IMDSv2, you can further protect the metadata service: curl-url-http-3A-2F-2F169.254.169.254-2Flatest-2Fapi-2Ftoken
Transition away from IMDSv1 completely. You can modify existing instances or enforce this via AWS Policies globally so that instances will reject any requests that do not use the /latest/api/token flow.
But wait – that’s not quite complete. The actual IMDSv2 specification requires an request, not a plain GET . The correct command to obtain a token is: curl -s -X PUT http://169
: Stores the resulting cryptographic string so it can be passed to subsequent metadata queries like this:
TOKEN=$(curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600") curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/iam/security-credentials/ But wait – that’s not quite complete
To successfully execute this request, you must use the PUT method and include a header specifying the token's Time-to-Live (TTL). If you are running this directly on an EC2 instance:
: You must first perform a PUT request to /latest/api/token to generate a temporary session token.