: On AWS, enforce the use of IMDSv2 (Instance Metadata Service version 2), which requires a session-oriented token and prevents most SSRF attempts from reaching sensitive metadata.
| Situation | Action | |-----------|--------| | Need to read /root/.aws/config manually | Use sudo cat or sudo ls | | Accessing via file:// URI in code | Avoid; use filesystem APIs instead | | Want to share config across services | Use IAM roles, not root credentials | | Running in Docker/LXC | Do not store root AWS keys inside container | fetch-url-file-3A-2F-2F-2Froot-2F.aws-2Fconfig
In this setup, when you use --profile admin-role , the CLI will automatically grab temporary credentials from your default profile and assume the Admin role, optionally asking for your MFA code. : On AWS, enforce the use of IMDSv2
# Vulnerable Python code import requests url = request.GET['url'] response = requests.get(url) # url = file:///root/.aws/config : On AWS