An introduction to Amazon EC2 credentials
When you assign an Identity and Access Management (IAM) role to an Amazon
Elastic Compute Cloud (EC2) instance, the short-term credentials for the role
are made available via a web service known as the
Instance Metadata Service (IMDS).
The IMDS provides an HTTP endpoint for retrieving instance metadata
such as the instance IP address, AWS Region the instance is running in, the
Amazon Machine Image used to launch the instance, and the access key, secret
access key, and session token associated with the instance's IAM role. The AWS
documentation describes how to
retrieve instance role credentials
from IMDS. If you've seen or used the http://169.254.169.254
or
http://fd00:ec2::254
endpoints, then you've seen/used IMDS.
Retrieval of instance role credentials from IMDS is the mechanism by which the
AWS CLI and SDKs learn the credentials belonging to the instance's IAM
role without you having to configure anything on the instance. Quoting the
IAM documentation:
The AWS SDKs, AWS CLI, and Tools for Windows PowerShell automatically get the
credentials from the EC2 Instance Metadata Service (IMDS) and use them.
This is great! It means you can start using the AWS CLI, SDKs, or Tools for
Windows PowerShell on an EC2 instance without having to configure any
credentials.
However, like most nice things, IMDS can be exploited and used in unintended
ways. This blog post will explain how EC2 credentials can be retrieved from
IMDS, removed from the EC2 instance, and used outside of EC2. This post will
also explain some ways to mitigate this activity.