The cloud instance metadata service (e.g., AWS IMDSv1 at 169.254.169.254) is accessible through SSRF or other vulnerabilities, exposing temporary credentials and instance configuration.
An attacker could retrieve IAM role credentials, access keys, and other sensitive metadata, enabling lateral movement, privilege escalation, or full cloud environment compromise.
Enforce IMDSv2 (require token-based access) on all cloud instances. Block metadata service access from containers and applications that don't need it. Implement network-level controls to restrict metadata endpoint access. Monitor for unusual metadata service queries.