: A mandatory header defining the Time-To-Live (TTL) of the token in seconds. In this case, 21600 seconds equals 6 hours. The maximum allowable limit is 6 hours.
. These credentials were like a skeleton key to the rest of the AWS kingdom. The Birth of the Token My Hands-On with AWS EC2 Instance Metadata Service
# Step 1: Generate the token and store it in a variable TOKEN=$(curl -X PUT "http://169.254.169" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600") # Step 2: Use the token to securely access instance metadata curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169 Use code with caution.
# Get the token TOKEN=`curl -X PUT "http://169.254.169" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600"` # Use the token to get instance identity curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169 Use code with caution. Copied to clipboard
Make an HTTP PUT request to /latest/api/token to generate a secret, time-limited token. curl-url-http-3A-2F-2F169.254.169.254-2Flatest-2Fapi-2Ftoken
Some older instances or custom AMIs may still have IMDSv1 only. You can check with:
In IMDSv1, accessing metadata was a simple, single-step GET request. curl http://169.254.169 Use code with caution.
In 2019, Capital One suffered a massive data breach where an attacker exploited a SSRF vulnerability to access a server's metadata. In the older IMDSv1, a single GET request could yield sensitive IAM role credentials. AWS responded by introducing , which requires a "session-oriented" approach: Step 1 : Use a PUT request to generate a temporary token.
Transition your AWS EC2 instances to require IMDSv2. Disable IMDSv1 entirely to neutralize basic, single-request SSRF attacks. : A mandatory header defining the Time-To-Live (TTL)
(Search for "IMDSv2") – Netflix is famous for its cloud security; they often document their migration strategies and how they enforce IMDSv2 across thousands of instances to eliminate the "old way" of accessing metadata.
Once you have the $TOKEN , you can access the metadata safely:
# Use the token to fetch an instance ID curl -H "X-aws-ec2-metadata-token: $TOKEN" -v http://169.254.169.254/latest/meta-data/instance-id Use code with caution.
Applications running on the instance can query this service without needing to hardcode credentials or configuration. For example, a web server can automatically discover which security groups it belongs to, or an application can retrieve temporary AWS credentials attached to the instance’s IAM role. # Get the token TOKEN=`curl -X PUT "http://169
METADATA_TOKEN=$(curl -s -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 3600")
Several major public breaches trace back to exposed metadata endpoints:
To understand why the /latest/api/token endpoint exists, it is vital to contrast the two versions of the AWS metadata service. IMDSv1 (Insecure by Default)