Compute resources in AWS (e.g. EC2 instances, ECS tasks/services, etc.) get
access to AWS credentials, such as temporary instance role credentials, via the
Instance Metadata Service (IMDS). The compute resources use these
credentials to access other AWS services such as SQS, DynamoDB and Secrets
Manager.
Introduction: Problems with IMDSv1
There was originally only one version of IMDS, now called “v1,” which
unfortunately many people still use. The technical risks and high profile
incidents (the Capital One breach comes to mind) associated with v1, as well as
the existence of v2 are well-documented. When an application hosted on an
EC2 instance is vulnerable to SSRF, XXE or RCE, attackers
can likely steal the temporary AWS credentials of the IAM role
configured for the instance. This service is a particularly interesting target
for attackers: