Curl-url-http-3a-2f-2f169.254.169.254-2flatest-2fapi-2ftoken

You could request:

curl http://169.254.169.254/latest/meta-data/iam/security-credentials/some-role

And it would directly return IAM credentials in plaintext. No authentication, no token, no headers. Any process on the VM — including a compromised web application — could get admin keys. curl-url-http-3A-2F-2F169.254.169.254-2Flatest-2Fapi-2Ftoken

Enforce IMDSv2 only:

aws ec2 modify-instance-metadata-options \
    --instance-id i-1234567890abcdef0 \
    --http-tokens required \
    --http-endpoint enabled

CloudTrail logs do not capture metadata service calls. Instead, use: You could request: curl http://169