Cloud Metadata Service
A cloud metadata service is an internal HTTP endpoint available to cloud instances that provides configuration information such as instance identity, credentials, network settings, and user data. It is a frequent target for server-side request forgery (SSRF) attacks.
Cloud metadata services are internal APIs provided by cloud platforms like AWS, Azure, and Google Cloud that allow virtual machine instances to retrieve information about themselves. Accessible at well-known endpoints such as 169.254.169.254, these services expose data including temporary security credentials, instance roles, hostname, network configuration, and user-defined startup scripts.
The metadata service became a significant security concern after high-profile breaches demonstrated how attackers could exploit server-side request forgery (SSRF) vulnerabilities to query the endpoint and extract sensitive credentials. Once an attacker obtains temporary IAM credentials from the metadata service, they can pivot to other cloud resources with whatever permissions those credentials allow.
Cloud providers have introduced protections such as the Instance Metadata Service v2 (IMDSv2) on AWS, which requires a session token obtained through a PUT request before metadata can be accessed. This mitigates many SSRF-based attacks because the attacker cannot easily forge the required multi-step request. Organizations should enforce IMDSv2, restrict metadata access using firewall rules, limit the permissions attached to instance roles, and validate all user-supplied URLs to prevent SSRF attacks targeting metadata endpoints.