What is the instance metadata service (IMDS) and how does IMDSv2 mitigate SSRF?
Short answer
IMDS is a link-local endpoint (169.254.169.254) that gives an instance its metadata, including temporary credentials for its attached IAM role. SSRF can trick the server into fetching that URL and leaking those credentials. IMDSv2 requires a PUT to obtain a short-lived session token, sets a default IP TTL/hop limit of 1, and rejects requests with certain headers — so a simple SSRF GET can no longer reach it.
This is a favorite senior cloud question because it ties together a web vulnerability (SSRF) and a cloud-native attack (credential theft) — and the fix is elegant.
What IMDS does
Every instance can query a link-local address, 169.254.169.254, to read its own metadata: region, instance ID, networking, and — critically — the temporary credentials of the IAM role attached to it. Applications use this so they never need static keys. The problem: the endpoint trusts any request originating from the instance.
Why SSRF is so dangerous here
In a server-side request forgery attack, an attacker coerces the application into making an HTTP request to an attacker-chosen URL. If they point it at http://169.254.169.254/latest/meta-data/iam/security-credentials/..., the server fetches the role's credentials and returns them. The attacker now holds valid, role-scoped cloud credentials — the Capital One breach is the canonical example.
How IMDSv2 closes it
IMDSv1 answered a plain GET, which is exactly what SSRF produces. IMDSv2 is session-oriented:
- The client must first issue a
PUTto obtain a short-lived session token, then send that token in a header on every read. Most SSRF primitives can only do simpleGETs, so they cannot complete the handshake. - The default response hop limit (IP TTL) is 1, so the response cannot traverse a forwarding proxy or escape a container's network namespace to reach an external attacker.
- Requests carrying an
X-Forwarded-Forheader are rejected, blocking open-proxy abuse.
Enforce IMDSv2-only at launch (and account-wide via policy), and still scope the instance role tightly so a leak has minimal blast radius.
What interviewers look for
Knowing the metadata IP, that it serves role credentials, the SSRF link, and specifically why the PUT-token plus hop-limit design defeats it.
Likely follow-ups
- Why does a default hop limit of 1 break SSRF through a container or proxy?
- How would you enforce IMDSv2-only across an entire account?
- What blast radius does a leaked instance role credential have, and how do you limit it?