← Lessons

quiz vs the machine

Gold1500

Security

Protecting The Cloud Metadata Service

Why the instance metadata endpoint is a prime SSRF target and how to guard it.

4 min read · core · beat Gold to climb

A Tempting Internal Endpoint

Cloud instances expose a metadata service at a fixed internal address that returns configuration and, dangerously, temporary credentials. A server side request forgery flaw that reaches it can hand an attacker the instance's cloud permissions.

Why It Is Risky

  • The endpoint is reachable from the instance with no authentication by default.
  • A vulnerable app that fetches attacker supplied URLs can be steered to it.
  • Leaked credentials inherit the instance's role permissions.

Defenses

  • Require the hardened, session token version of the metadata service that blocks naive requests.
  • Apply least privilege to instance roles so leaked credentials are limited.
  • Block outbound requests to the metadata address from application code and validate fetch targets.

Key idea

The metadata service can hand out instance credentials, so require its hardened version, scope instance roles tightly, and block app access to its address.

Check yourself

Answer to earn rating on the learn ladder.

1. Why is the cloud metadata service a prized SSRF target?

2. Which control limits the damage of leaked instance credentials?