Ten stories. Each story shows an attack, the wall that stops it, and why the wall works and the configurations that make them abort the attack IMDSv2 WITH HOP LIMIT 1 The attacker has root on the EC2 instance. Fifteen minutes of work. A vulnerable Struts app. They run the command they've run a hundred times before: curl http://169.254.169.254/latest/meta-data/iam/security-credentials/ Enter fullscreen mode Exit fullscreen mode Nothing. They've seen this before. IMDSv2. Fine. They get the token: TOKEN = $( curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600" ) curl -H "X-aws-ec2-metadata-token: $TOKEN " http://169.254.169.254/latest/meta-data/iam/security-credentials/ Enter fullscreen mode Exit fullscreen mode Credentials spill out. AccessKeyId. SecretAccessKey. SessionToken. They export to their laptop. export AWS_ACCESS_KEY_ID = ASIA... export AWS_SECRET_ACCESS_KEY = ... export AWS_SESSION_TOKEN = ...…