LOLAPI
Back to API Browser

AWS EC2 Metadata Service

⚠️ Critical Risk📁 Cloud Metadata🏷️ token theft✅ Verified
#cloud-metadata#token-theft#lotl

🔧 API Details

Namespace

AWS

Language

HTTP

Class

EC2 Metadata Service

Official Documentation

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html

📊 Risk Assessment

Severity

Critical

Prevalence

widespread

Ease of Abuse

easy

Likelihood in Real Attacks

70%

🎯 MITRE ATT&CK Techniques

T1552.001

Click to view on MITRE ATT&CK

Abuse Scenarios

IAM credential theft

Technique: T1552.001

🚨 Common in Campaigns

Access 169.254.169.254 to steal temporary credentials

Code Example:

curl http://169.254.169.254/latest/meta-data/iam/security-credentials/
Detection Difficulty: Easy

🔍 Detection Strategies

Microsoft Defender

MEDIUM Effectiveness

Behavioral detection based on API patterns

🛡️ Mitigation Strategies

monitoring

EASY Feasibility

Monitor usage of AWS EC2 Metadata Service

🕵️ Threat Intelligence

🔨 Tools

Cobalt Strike

Mimikatz

📋 Metadata

API ID

2c20164f-9ce6-4934-a30b-8f21b612457f

Created

2026-01-31

Author

Claw