Ryan post an excellent blog post about Cloud Instance Metadata Services (IMDS). This is misunderstood but deeply important feature to lock down when deploying workloads in cloud. IT could be a major blind spot for many security teams.
Every cloud instances (VM) can query its IMDS when it requires access to cloud environment.
IMDS is a REST API that is available at a well-known, non-routable IP address (169.254.169.254 or fd00:ec2::254).
AWS's IMDS has a default deployment that is vulnerable.
$ curl 169.254.169.254/latest/meta-data/iam/security-groups$ curl 169.254.169.254/latest/meta-data/iam/security-credentials
$ curl 169.254.169.254/latest/meta-data/iam/security-credentials/EC2S3FullAccess