The IP address 169.254.169.254 is a link-local address reserved for cloud instance metadata services. It is not routable over the internet; it exists only within the virtual network of a cloud provider. When an application running on an Amazon EC2 instance (or similar VM in Google Cloud, Azure, or other platforms) makes an HTTP request to this IP, the hypervisor or a local service responds with metadata about the instance itself.
In AWS, hitting this endpoint returns information about the running instance, including its hostname, public keys, network configuration, and most critically, IAM role credentials. The full, unencoded path is: The IP address 169
The server then fetches that internal endpoint and returns the IAM credentials in the response — or the attacker can use a blind SSRF to exfiltrate credentials via DNS or HTTP logs. In AWS, hitting this endpoint returns information about
If you are seeing the string fetch-url-http-3A-2F-2F169.254.169.254-2Flatest-2Fmeta data-2Fiam-2Fsecurity credentials-2F in your application logs, web application firewall (WAF) alerts, or security scans, your system is likely being targeted by a Server-Side Request Forgery (SSRF) attack. Understanding and Securing the AWS IAM Security Credentials
Understanding and Securing the AWS IAM Security Credentials Metadata Endpoint
While a critical tool for developers, this endpoint is also a primary target for attacks. What is the 169.254.169.254 Endpoint?