Core Agenda
- AWS EC2 architecture from an attacker's perspective, with emphasis on the Instance Metadata Service (IMDS).
- Setting up a simple EC2 test environment.
- Common EC2 misconfigurations, including network exposure issues and insecure IMDS settings.
- Cleaning up AWS resources after completing the exercises.
AWS EC2 Overview (From an Attacker's Point of View)
From a simplified offensive security viewpoint, several key components influence how EC2 instances can be attacked:
- Security Group : Controls which traffic can reach the instance externally.
- SSM Agent : Communicates with AWS Systems Manager for remote management.
- Internal AWS Services : Gather and provide instance-level information.
- IMDS (Instance Metadata Service) : Responds to metadata queries from the hypervisor, including IAM role credentials.
Deep Dive into IMDS (Instance Metadata Service)
AWS IMDS is a critical service that helps applications running on an EC2 instance obtain instance-specific information and credentials.
But if misconfigured, it becomes a high-value target for attackers.
A. Key Characteristics of IMDS
- Type of Service: IMDS is an HTTP API service, enabled by default on every EC2 instance.
- Network Location:
- IPv4:
169.254.169.254
- IPv6:
[fd00:ec2::254]
- Port: TCP 80
- Local-only Access: IMDS cannot be accessed externally. Attackers typically interact with it by:
- Gaining shell access (e.g., SSH), or
- Exploiting vulnerabilities like Server-Side Request Forgery (SSRF).
- Types of Data Exposed:
- AMI ID
- Instance ID
- Region
- Public keys
- Network information
- User data (bootstrapping scripts, SSH keys, secrets)
- IAM Credential Generation: IMDS can be used to get temporary IAM credentials via STS for the role attached to the instance.