Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Cloud Metadata Urls - SANS Internet Storm Center SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Cloud Metadata Urls

This is a guest diary contributed by Remco Verhoef. Interested in publishing a guest diary? Sent us your idea via our contact form.

Most cloud providers offer metadata using private urls. Those urls are used to retrieve metadata for the current configuration of the instance and passing userdata. The configuration contains data like security groups, public ip addresses, private addresses, public keys configured and event rotating secret keys. The userdata can contain everything like initialization scripts, variables, passwords etc.

The metadata urls will vary per cloud provider, I’ve written a few down together with their metadata url and a link to the documentation.






The configuration and userdata is used by scripts, automating tasks and applications, but the danger is that it can be abused to leak information about the current instance. Information an attacker needs to elevate privileges or move laterally. This information can contain usernames, passwords, configuration, keys or scripts.

When your application accepts remote urls as data like a proxy server, vpn server or a web application (think about wordpress plugins for embedding remote content, web screenshotting applications and many more), you need to be sure the metadata url is not accessible. If you install a default squid proxy for example, just executing this command:

$ http_proxy=proxy:3128 curl                                                                                                                 {
 "devpayProductCodes" : null,
 "privateIp" : "",
 "availabilityZone" : "eu-west-1c",
 "version" : "2010-08-31",
 "region" : "eu-west-1",
 "instanceId" : "i-*****",
 "billingProducts" : null,
 "pendingTime" : "2017-02-03T20:21:11Z",
 "instanceType" : "m3.medium",
 "accountId" : "*****",
 "architecture" : "x86_64",
 "kernelId" : null,
 "ramdiskId" : null,
 "imageId" : "ami-e31bab90"

This will return all metadata of the proxy server.

Anyhow the metadata contains information you don't want to disclose. You’ll be safe when the private ip has been blocked, but this is not always possible (in the case of the rotating secret keys for example). Blocking the requests can be done using good old iptables:

$ iptables -A OUTPUT -m owner ! --uid-owner root -d -j DROP

This will only allow root to access the metadata url, allowing the boot sequence to use the metadata and disallowing the web servers to use the metadata.


I will be teaching next: Application Security: Securing Web Apps, APIs, and Microservices - SANS Cyber Defence Japan August 2022


4511 Posts
ISC Handler
Feb 8th 2017

Sign Up for Free or Log In to start participating in the conversation!