Fetch-url-http-3a-2f-2f169.254.169.254-2flatest-2fmeta Data-2fiam-2fsecurity Credentials-2f May 2026

The string you provided is a URL-encoded path used to retrieve temporary security credentials for an IAM role attached to an AWS EC2 instance.

Get the full benefits of IMDSv2 and disable IMDSv1 ... - AWS

The IP address 169.254.169.254 hosts the AWS Instance Metadata Service (IMDS), a critical endpoint for retrieving IAM security credentials from EC2 instances. Exploiting this path, specifically through Server-Side Request Forgery (SSRF), allows unauthorized access to temporary credentials and risks full infrastructure compromise. To mitigate these risks, it is recommended to adopt IMDSv2, which introduces token-based authentication to prevent SSRF vulnerabilities. Read the full guide on securing your infrastructure at The string you provided is a URL-encoded path

While a critical tool for developers, this endpoint is also a primary target for Server-Side Request Forgery (SSRF) attacks. What is the 169.254.169.254 Endpoint?

The Importance of IAM Security Credentials

Identity and Access Management (IAM) security credentials are critical for any AWS instance. These credentials define what actions an instance can perform on AWS resources. When an instance needs to interact with AWS services—be it to write to an S3 bucket, monitor metrics in CloudWatch, or perform any other action—it must do so with the appropriate permissions. Fetching IAM security credentials from the metadata service allows instances to understand their permissions without requiring hardcoded credentials. What is the 169

Understanding the URL:

The Fix: Use IMDSv2, which requires a session token and blocks these simple "fetch" requests. s3:PutObject for a specific bucket). 3.

Action: Never give an EC2 instance AdministratorAccess. Only grant the specific permissions the app needs (e.g., s3:PutObject for a specific bucket). 3. Use Network Protections

Example Response

The response from the metadata service might look similar to this: