Callback-url-http-3a-2f-2f169.254.169.254-2flatest-2fmeta Data-2fiam-2fsecurity Credentials-2f (2026)

: Applications running on the EC2 instance can then use these temporary credentials to make secure requests to AWS services.

Applications running on an EC2 instance can fetch these credentials by making a GET request to the metadata service. For example, in a Linux environment, you can use curl : : Applications running on the EC2 instance can

A typical request to the metadata endpoint (using IMDSv1) might look like: in a Linux environment

This "token-backed" method effectively kills most SSRF attacks because standard SSRF vulnerabilities rarely allow an attacker to control HTTP methods (changing GET to PUT) or inject custom headers. Conclusion : Applications running on the EC2 instance can