IMDS impersonation
AWS has identified a potential Instance Metadata Service (IMDS) impersonation issue affecting IMDSv1 and IMDSv2. This vulnerability could cause customers using AWS tools from non-EC2 compute nodes to interact with unexpected AWS accounts if a third party controls the network and impersonates the IMDS endpoint. The issue arises because IMDS normally runs on a loopback interface within EC2 instances, but outside the AWS data perimeter, a malicious actor with privileged network access could serve fake metadata credentials. AWS recommends following official installation and configuration guides for AWS CLI/SDK and SSM Agent when used outside AWS to mitigate this risk. Additionally, monitoring for unexpected IMDS traffic in on-premises environments is advised to detect potential impersonation attempts. No known exploits in the wild have been reported, and the severity is assessed as low.
AI Analysis
Technical Summary
The IMDS impersonation vulnerability involves the potential for a third party with privileged network access on non-EC2 compute nodes to impersonate the AWS Instance Metadata Service, which normally provides instance metadata and credentials only within the AWS data perimeter. This could lead to customers unknowingly interacting with unexpected AWS accounts by receiving forged metadata credentials. The issue affects both IMDSv1 and IMDSv2. AWS advises customers to strictly follow installation and configuration best practices for AWS CLI/SDK and SSM Agent when operating outside EC2 instances and to monitor network traffic for unauthorized IMDS endpoints, especially in on-premises environments. Detection guidance includes monitoring connections to AWS metadata IP addresses and HTTP paths, with SIGMA rules provided for SIEM integration.
Potential Impact
If exploited, this vulnerability could cause customers using AWS tools outside of EC2 instances to receive and use forged AWS credentials from a third party-controlled IMDS endpoint. This may result in interactions with unintended AWS accounts, potentially leading to unauthorized access or data exposure. However, exploitation requires the attacker to have a privileged network position on the same network as the affected compute node. There are no known exploits in the wild, and the overall severity is considered low.
Mitigation Recommendations
AWS recommends that customers using AWS CLI/SDK or SSM Agent outside the AWS data perimeter strictly follow the official installation and configuration guides to mitigate this issue. Additionally, organizations should monitor for unexpected IMDS traffic in on-premises environments by detecting connections to AWS metadata IP addresses (169.254.169.254 and fd00:ec2::254), HTTP requests to AWS metadata paths (/latest/meta-data, /latest/api/token), and AWS metadata headers such as X-aws-ec2-metadata-token. AWS provides SIGMA detection rules to facilitate monitoring across various SIEM platforms. No official patch is required as this is a configuration and monitoring issue. Customers should proactively detect and prevent unauthorized IMDS endpoints in their networks.
IMDS impersonation
Description
AWS has identified a potential Instance Metadata Service (IMDS) impersonation issue affecting IMDSv1 and IMDSv2. This vulnerability could cause customers using AWS tools from non-EC2 compute nodes to interact with unexpected AWS accounts if a third party controls the network and impersonates the IMDS endpoint. The issue arises because IMDS normally runs on a loopback interface within EC2 instances, but outside the AWS data perimeter, a malicious actor with privileged network access could serve fake metadata credentials. AWS recommends following official installation and configuration guides for AWS CLI/SDK and SSM Agent when used outside AWS to mitigate this risk. Additionally, monitoring for unexpected IMDS traffic in on-premises environments is advised to detect potential impersonation attempts. No known exploits in the wild have been reported, and the severity is assessed as low.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The IMDS impersonation vulnerability involves the potential for a third party with privileged network access on non-EC2 compute nodes to impersonate the AWS Instance Metadata Service, which normally provides instance metadata and credentials only within the AWS data perimeter. This could lead to customers unknowingly interacting with unexpected AWS accounts by receiving forged metadata credentials. The issue affects both IMDSv1 and IMDSv2. AWS advises customers to strictly follow installation and configuration best practices for AWS CLI/SDK and SSM Agent when operating outside EC2 instances and to monitor network traffic for unauthorized IMDS endpoints, especially in on-premises environments. Detection guidance includes monitoring connections to AWS metadata IP addresses and HTTP paths, with SIGMA rules provided for SIEM integration.
Potential Impact
If exploited, this vulnerability could cause customers using AWS tools outside of EC2 instances to receive and use forged AWS credentials from a third party-controlled IMDS endpoint. This may result in interactions with unintended AWS accounts, potentially leading to unauthorized access or data exposure. However, exploitation requires the attacker to have a privileged network position on the same network as the affected compute node. There are no known exploits in the wild, and the overall severity is considered low.
Mitigation Recommendations
AWS recommends that customers using AWS CLI/SDK or SSM Agent outside the AWS data perimeter strictly follow the official installation and configuration guides to mitigate this issue. Additionally, organizations should monitor for unexpected IMDS traffic in on-premises environments by detecting connections to AWS metadata IP addresses (169.254.169.254 and fd00:ec2::254), HTTP requests to AWS metadata paths (/latest/meta-data, /latest/api/token), and AWS metadata headers such as X-aws-ec2-metadata-token. AWS provides SIGMA detection rules to facilitate monitoring across various SIEM platforms. No official patch is required as this is a configuration and monitoring issue. Customers should proactively detect and prevent unauthorized IMDS endpoints in their networks.
Technical Details
- Article Source
- {"url":"https://aws.amazon.com/security/security-bulletins/rss/aws-2025-021/","fetched":true,"fetchedAt":"2026-05-26T20:30:24.506Z","wordCount":534}
Threat ID: 6a1602eae29bf47b505d9f9e
Added to database: 5/26/2026, 8:30:34 PM
Last enriched: 5/26/2026, 8:35:40 PM
Last updated: 5/26/2026, 9:35:02 PM
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.