Fetch-url-http-3a-2f-2f169.254.169.254-2flatest-2fmeta Data-2fiam-2fsecurity Credentials-2f ((free)) May 2026

Fetch-url-http-3a-2f-2f169.254.169.254-2flatest-2fmeta Data-2fiam-2fsecurity Credentials-2f ((free)) May 2026

If you see this in your web server logs or as part of a bug bounty report, it is an attack attempt.

: This specific path is where AWS stores the temporary security tokens for the instance's IAM role. If you see this in your web server

By utilizing the metadata service for retrieving IAM security credentials, AWS provides a flexible and secure mechanism for managing access to resources without requiring long-term access keys. http://169

http://169.254.169 is a classic Server-Side Request Forgery (SSRF) attack vector targeting AWS Instance Metadata Service, capable of revealing temporary IAM credentials. An attacker exploits this by forcing a web application to fetch data from the internal, trusted link-local IP, resulting in potential full cloud account takeovers, as demonstrated in the 2019 Capital One breach. Modern AWS IMDSv2 protections require a session token, mitigating this specific "fetch-url" attack. Because the request comes from inside the instance,

Because the request comes from inside the instance, it bypasses external firewalls and WAFs.

When a request is made to http://169.254.169.254/latest/meta-data/iam/security-credentials/ , the response includes a JSON object containing temporary security credentials. These credentials include:

Up
Menu
Close
Shopping trolley
Close
Return
Account
Close
Coin
Language
Euro: EUR
Español (Spanish)Español
English (English)English
Français (French)Français