Fetch-url-http-3a-2f-2f169.254.169.254-2flatest-2fmeta Data-2fiam-2fsecurity Credentials-2f !!hot!! Jun 2026

http://169.254.169.254/latest/meta-data/iam/security-credentials/

When an EC2 instance is launched, it can access the AWS Instance Metadata Service to retrieve temporary security credentials. These credentials are used to make secure requests to AWS services without needing to hard-code or store long-term access keys on the instance. http://169

By fetching data from this service, an application running on the instance can discover its: Instance ID and Type Public and Private IP addresses Security group names The "Security Credentials" Endpoint http://169

In an SSRF attack, an attacker tricks a web server into making a request on their behalf. If an attacker finds a way to make your server "fetch" a URL of their choosing, they will point it at http://169.254.169 . Why this is a "Critical" Risk: http://169