August 11, 2021
Compute resources in AWS (e.g. EC2 instances, ECS tasks/services, etc.) get access to AWS credentials, such as temporary instance role credentials, via the Instance Metadata Service (IMDS) . The compute resources use these credentials to access other AWS services such as SQS, DynamoDB and Secrets Manager.
Introduction: Problems with IMDSv1 There was originally only one version of IMDS, now called “v1,” which unfortunately many people still use. The technical risks and high profile incidents (the Capital One breach comes to mind) associated with v1, as well as the existence of v2 are well-documented.