AWS Security ChangesHomeSearch

AWS AWSEC2 medium security documentation change

Service: AWSEC2 · 2025-04-16 · Security-related medium

File: AWSEC2/latest/UserGuide/instance-metadata-security-credentials.md

Summary

Restructured documentation to emphasize IMDSv2 usage, added OS-specific sections (Linux/Windows), replaced specific role name 's3access' with generic 'role-name' placeholder, and reorganized command examples

Security assessment

The changes promote IMDSv2 token-based authentication over IMDSv1, which AWS recommends as a security best practice to mitigate vulnerabilities like metadata service exploitation. While not explicitly citing a CVE, the restructuring aligns with AWS's security guidance for instance metadata access.

Diff

diff --git a/AWSEC2/latest/UserGuide/instance-metadata-security-credentials.md b/AWSEC2/latest/UserGuide/instance-metadata-security-credentials.md
index 70cdabe81..a8b9180dd 100644
--- a//AWSEC2/latest/UserGuide/instance-metadata-security-credentials.md
+++ b//AWSEC2/latest/UserGuide/instance-metadata-security-credentials.md
@@ -19 +19 @@ If your workload uses a role to assume itself, you must create a trust policy th
-The following command retrieves the security credentials for an IAM role named `s3access`.
+IMDSv2
@@ -21 +20,0 @@ The following command retrieves the security credentials for an IAM role named `
-cURL
@@ -22,0 +22 @@ cURL
+###### Linux
@@ -24 +24 @@ cURL
-**IMDSv2**
+Run the following command from your Linux instance to retrieve the security credentials for an IAM role.
@@ -27,2 +27,2 @@ cURL
-    [ec2-user ~]$ TOKEN=`curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600"` \
-    && curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/iam/security-credentials/s3access
+    TOKEN=`curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600"` \
+        && curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/iam/security-credentials/role-name
@@ -30 +30 @@ cURL
-**IMDSv1**
+###### Windows
@@ -31,0 +32 @@ cURL
+Run the following cmdlet from your Windows instance to retrieve the security credentials for an IAM role.
@@ -33 +33,0 @@ cURL
-    [ec2-user ~]$ curl http://169.254.169.254/latest/meta-data/iam/security-credentials/s3access
@@ -35 +35,3 @@ cURL
-PowerShell
+    [string]$token = Invoke-RestMethod `
+        -Headers @{"X-aws-ec2-metadata-token-ttl-seconds" = "21600"} `
+        -Method PUT -Uri http://169.254.169.254/latest/api/token
@@ -38 +40,3 @@ PowerShell
-**IMDSv2**
+    Invoke-RestMethod `
+        -Headers @{"X-aws-ec2-metadata-token" = $token} `
+        -Method GET -Uri http://169.254.169.254/latest/meta-data/iam/security-credentials/role-name
@@ -39,0 +44 @@ PowerShell
+IMDSv1
@@ -41 +45,0 @@ PowerShell
-    PS C:\> [string]$token = Invoke-RestMethod -Headers @{"X-aws-ec2-metadata-token-ttl-seconds" = "21600"} -Method PUT -Uri http://169.254.169.254/latest/api/token
@@ -42,0 +47 @@ PowerShell
+###### Linux
@@ -44 +49 @@ PowerShell
-    PS C:\> Invoke-RestMethod -Headers @{"X-aws-ec2-metadata-token" = $token} -Method GET -Uri http://169.254.169.254/latest/meta-data/iam/security-credentials/s3access
+Run the following command from your Linux instance to retrieve the security credentials for an IAM role.
@@ -46 +50,0 @@ PowerShell
-**IMDSv1**
@@ -47,0 +52 @@ PowerShell
+    curl http://169.254.169.254/latest/meta-data/iam/security-credentials/role-name
@@ -49 +54,6 @@ PowerShell
-    PS C:\> Invoke-RestMethod -uri http://169.254.169.254/latest/meta-data/iam/security-credentials/s3access
+###### Windows
+
+Run the following cmdlet from your Windows instance to retrieve the security credentials for an IAM role.
+    
+    
+    Invoke-RestMethod -uri http://169.254.169.254/latest/meta-data/iam/security-credentials/role-name