Request-url-http-3a-2f-2f169.254.169.254-2flatest-2fmeta Data-2fiam-2fsecurity Credentials-2f !!top!! -

"Code": "Success", "LastUpdated": "2023-04-12T16:55:44Z", "Type": "AWS4", "AccessKeyId": "ASIAQHJYEXAMPLE123", "SecretAccessKey": "6P+RveEXAMPLEKeyHere123", "SessionToken": "IQoJc2Vhc3QtMSJIMEYCIQCEXAMPLETokenValue123==", "Expiration": "2023-04-12T23:55:44Z"

The application can then use these credentials to call AWS APIs (e.g., read from S3, write to DynamoDB, launch new instances). : By appending the role name to the URL (e

The use of URL encoding (e.g., %3A for : , %2F for / ) is a standard evasion technique used to bypass Web Application Firewalls (WAFs) or input sanitization logic that might be looking for the string 169.254.169.254 in plaintext. read from S3

: Vulnerable to simple SSRF because it uses standard HTTP GET requests. write to DynamoDB

: By appending the role name to the URL (e.g., .../security-credentials/MyRoleName ), a user can retrieve an Access Key , Secret Key , and Session Token to perform actions authorized by that role. Security Implications & SSRF