AWS Metadata | Notion

For Fargate (and ECS?), the keys are in a metadata page with a random UUID

169.254.170.2/v2/credentials/{uuid}

You need an LFI or other vuln that gives you access to /proc/self/environ on a Linux host.

This will contain a AWS_CREDENTIALS_RELATIVE_URI environment variable. This is only useful if you also have SSRF or RCE.

elitest/federateme

https://github.com/grahamhelton/IMDSpoof

IMDSPOOF is a cyber deception tool that spoofs an AWS IMDS service. One way that attackers are able to escalate privileges or move laterally in a cloud environment is by retrieving AWS Access keys from the IMDS service endpoint located at http://169.254.169.254/latest/meta-data/iam/security-credentials/<user>. This tool spoofs that endpoint and redirects traffic sent to 169.254.169.254 to a local webserver that serves fake data. This can be leveraged for highly tuned detections by inserting honey AWS tokens into the response of the spoofed IMDS response.