Fetch-url-http-3a-2f-2f169.254.169.254-2flatest-2fmeta Data-2fiam-2fsecurity Credentials-2f _best_ Jun 2026

Once the attacker has these keys, they can use them from their own machine to access other AWS services (like S3 buckets or RDS databases) that the role has permissions for. How to Defend Your Infrastructure

iam/security-credentials/ is used specifically to retrieve the security credentials (such as temporary access keys) associated with the IAM role that an EC2 instance is launched with. Once the attacker has these keys, they can

: This endpoint specifically returns temporary security credentials for the IAM role attached to the instance. These credentials can be used to access AWS resources. These credentials can be used to access AWS resources

– How to monitor for unexpected metadata API calls using cloud audit logs (CloudTrail, Azure Monitor, GCP Audit Logs) and guardrails like VPC endpoint policies. Once the attacker has these keys

: This is a link-local address used by the AWS Instance Metadata Service (IMDS) to allow instances to access information about themselves.