Adversaries may attempt to access the Cloud Instance Metadata API to collect credentials and other sensitive data.
Most cloud service providers support a Cloud Instance Metadata API which is a service provided to running virtual instances that allows applications to access information about the running virtual instance. Available information generally includes name, security group, and additional metadata including sensitive data such as credentials and UserData scripts that may contain additional secrets. The Instance Metadata API is provided as a convenience to assist in managing applications and is accessible by anyone who can access the instance.(Citation: AWS Instance Metadata API) A cloud metadata API has been used in at least one high profile compromise.(Citation: Krebs Capital One August 2019)
If adversaries have a presence on the running virtual instance, they may query the Instance Metadata API directly to identify credentials that grant access to additional resources. Additionally, adversaries may exploit a Server-Side Request Forgery (SSRF) vulnerability in a public facing web proxy that allows them to gain access to the sensitive information via a request to the Instance Metadata API.(Citation: RedLock Instance Metadata API 2018)
The de facto standard across cloud service providers is to host the Instance Metadata API at <code>http[:]//169.254.169.254</code>.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| IAM-16 | Authorization Mechanisms | mitigates | T1552.005 | Cloud Instance Metadata API |
Comments
This control requires both CSP and CSC to independently enforce formal approval processes for user access, implement dynamic and explicit authorization mechanisms. The guidance focuses on implementing technical measures to verify authorization and prevent unauthorized access and execution.
References
|
| IAM-15 | Passwords Management | mitigates | T1552.005 | Cloud Instance Metadata API |
Comments
This control requires both CSP and CSC to independently enforce strong password management practices to protect authentication credentials and reduce the risk of unauthorized access. For example, credential access protection mitigation focuses on implementing measures to prevent adversaries from obtaining credentials, such as passwords, hashes, tokens, or keys, that could be used for unauthorized access.
References
|
| IPY-03 | Secure Interoperability and Portability Management | mitigates | T1552.005 | Cloud Instance Metadata API |
Comments
This control requires the CSP to encrypt communications using industry-standard protocols, securely manage API certificates and keys, and monitor/patch for vulnerabilities. The guidance for CSC requires it to classify API data, encrypt sensitive information during import/export, use secure protocols, and manage encryption keys independently to mitigate risks of data tampering, loss, or unauthorized access.
References
|
| IPY-02 | Application Interface Availability | mitigates | T1552.005 | Cloud Instance Metadata API |
Comments
This control requires the CSP to provide secure, standards-based, interoperable APIs with up-to-date documentation and communicate changes, while the CSC must review API documentation, use open standards, test API functionality for data transfer and recovery, monitor for outages and changes, and ensure secure, portable, and interoperable cloud deployments.
References
|
| DSP-17 | Sensitive Data Protection | mitigates | T1552.005 | Cloud Instance Metadata API |
Comments
This control requires the Cloud Service Provider (CSP) to implement robust mitigative controls such as network segmentation and firewalling, encryption, access controls with multi-factor authentication and intrusion detection to ensure sensitive customer data is protected throughout its lifecycle.
For this technique, adversaries may attempt to access the Cloud Instance Metadata API to collect credentials and other sensitive data. Limit access to the Instance Metadata API. A properly configured Web Application Firewall (WAF) may help prevent external adversaries from exploiting Server-side Request Forgery (SSRF) attacks that allow access to the Cloud Instance Metadata API.
References
|
| AIS-04 | Secure Application Design and Development | mitigates | T1552.005 | Cloud Instance Metadata API |
Comments
This control requires both Cloud Service Providers and customers to implement a Secure Software Development Lifecycle (SSDLC) with security practices throughout the entire application development process to protect cloud-based applications from cyber threats. Adversaries may attempt to access the Cloud Instance Metadata API to collect credentials and other sensitive data. The SSDLC process should ensure that applications and APIs are securely designed, developed, and operated in their cloud environments.
References
|
| AIS-05 | Automated Application Security Testing | mitigates | T1552.005 | Cloud Instance Metadata API |
Comments
The control describes multiple testing approaches with automated tools to identify vulnerabilities from development through production. The control outlines testing for injection attacks, session hijacking, and aligning with industry standards like OWASP Top 10 to ensure applications are secure. Adversaries may attempt to access the Cloud Instance Metadata API to collect credentials and other sensitive data. Testing for the unnecessary use of metadata services or restricting and disabling insecure versions of metadata services that are in use may prevent adversary use of this technique. Additionally, adversaries may exploit a Server-Side Request Forgery (SSRF) vulnerability in a public facing web proxy that allows them to gain access to the sensitive information via a request to the Instance Metadata API.
References
|