2026-01-08 · Authensor

Cloud Metadata SSRF via AI Agents

Threat Description

Server-Side Request Forgery (SSRF) against cloud metadata endpoints occurs when an AI agent running on a cloud instance (AWS EC2, GCP Compute Engine, Azure VM) makes an HTTP request to 169.254.169.254 — the Instance Metadata Service (IMDS). This link-local address returns temporary security credentials, instance identity documents, and configuration data. An agent that queries this endpoint obtains cloud IAM credentials that can be used for lateral movement across the cloud environment. The request is indistinguishable from normal network traffic at the OS level.

Attack Vector

An AI agent runs on a cloud VM or container with access to the local network.
The agent is directed — through prompt injection, a malicious task, or emergent behavior — to make an HTTP GET request to http://169.254.169.254/latest/meta-data/iam/security-credentials/.
The IMDS responds with the IAM role name. The agent makes a follow-up request to http://169.254.169.254/latest/meta-data/iam/security-credentials/.
The IMDS returns temporary AWS credentials: AccessKeyId, SecretAccessKey, and Token.
The agent sends these credentials to an external endpoint via a network action, or uses them directly to make AWS API calls.
The attacker now has cloud credentials with the permissions of the instance's IAM role.

Initial IMDS probe action:

{
  "action": "network",
  "params": {
    "method": "GET",
    "url": "http://169.254.169.254/latest/meta-data/iam/security-credentials/"
  },
  "agentId": "deploy-agent-05",
  "timestamp": "2026-02-13T16:45:00Z"
}

Credential retrieval action:

{
  "action": "network",
  "params": {
    "method": "GET",
    "url": "http://169.254.169.254/latest/meta-data/iam/security-credentials/my-ec2-role"
  },
  "agentId": "deploy-agent-05",
  "timestamp": "2026-02-13T16:45:01Z"
}

Real-World Context

SSRF to cloud metadata endpoints is one of the most exploited attack vectors in cloud security. The Capital One breach (2019) was caused by SSRF to the AWS metadata service. When AI agents operate on cloud infrastructure — a common deployment pattern for production agent systems — they inherit access to the IMDS unless it is explicitly disabled or blocked.

The Clawdbot incident (1.5M API key leak) showed that agents with unrestricted network access will make requests the operator did not anticipate. An agent on a cloud instance with both network tool access and IMDS availability is one HTTP request away from cloud credential theft.

AWS IMDSv2 requires a PUT request to obtain a session token before querying metadata. This mitigates casual SSRF from web applications. However, an AI agent with full HTTP tool access can issue PUT requests and follow the IMDSv2 flow programmatically. IMDSv2 does not protect against agents with full HTTP capability.

Why Existing Defenses Fail

IMDSv2 requires a two-step token flow but does not block requests from processes running on the instance. An AI agent with HTTP tool access can perform both steps.

Security groups and NACLs control traffic between instances and external networks. They do not control traffic to link-local addresses (169.254.169.254), which is always accessible from the instance.

Container networking (Docker, ECS) can be configured to block metadata access via iptables rules, but this requires explicit configuration that many deployments omit. Default container networking allows IMDS access.

Prompt guardrails instructing the agent "do not access 169.254.169.254" are bypassable via prompt injection or indirect encoding (e.g., using decimal IP notation 2852039166 instead of dotted quad).

How Action-Level Gating Prevents This

SafeClaw by Authensor intercepts every network action before the HTTP request is made. The policy engine evaluates the target URL against deny rules with sub-millisecond latency.

Explicit IMDS DENY rule. A network rule matching URLs containing 169.254.169.254 blocks all requests to the metadata endpoint, including IMDSv1 GET and IMDSv2 PUT/GET sequences.
Link-local range DENY. A broader rule matching 169.254.* blocks all link-local requests, covering metadata endpoints across AWS, GCP, and Azure.
Deny-by-default for network actions. Only explicitly permitted domains and URLs are reachable. Even if the agent encodes the IMDS IP in an alternative format, the request must match an ALLOW rule to proceed.
Method-agnostic blocking. SafeClaw evaluates the URL regardless of HTTP method (GET, PUT, POST). Both IMDSv1 and IMDSv2 flows are blocked.

The gating operates at the action layer, not the network layer. It inspects the agent's stated intent (the URL in the action request) before any network packet is sent.

Example Policy

{
  "rules": [
    {
      "action": "network",
      "match": { "urlPattern": "169.254." },
      "effect": "DENY",
      "reason": "Cloud metadata endpoint access is prohibited"
    },
    {
      "action": "network",
      "match": { "urlPattern": "metadata.google.internal" },
      "effect": "DENY",
      "reason": "GCP metadata endpoint access is prohibited"
    },
    {
      "action": "network",
      "match": { "urlPattern": "https://api.openai.com/**" },
      "effect": "ALLOW",
      "reason": "Agent may call OpenAI API"
    },
    {
      "action": "network",
      "match": { "urlPattern": "https://api.github.com/**" },
      "effect": "ALLOW",
      "reason": "Agent may call GitHub API"
    },
    {
      "action": "network",
      "match": { "urlPattern": "**" },
      "effect": "DENY",
      "reason": "All other network requests denied"
    }
  ]
}

This policy blocks metadata endpoints on both AWS (169.254.169.254) and GCP (metadata.google.internal). Azure uses the same 169.254.169.254 address with a required header, which is also blocked by the first rule. The trailing DENY rule blocks all unlisted destinations.

Detection in Audit Trail

SafeClaw's SHA-256 hash chain audit trail records blocked IMDS access attempts:

[2026-02-13T16:45:00Z] action=network url=http://169.254.169.254/latest/meta-data/iam/security-credentials/ agent=deploy-agent-05 verdict=DENY rule="Cloud metadata endpoint access is prohibited" hash=a1b2c3...
[2026-02-13T16:45:01Z] action=network url=http://169.254.169.254/latest/meta-data/iam/security-credentials/my-ec2-role agent=deploy-agent-05 verdict=DENY rule="Cloud metadata endpoint access is prohibited" hash=d4e5f6...

Any DENY entry targeting 169.254.169.254 is a high-severity indicator. In legitimate agent operation, there is no reason to access the metadata service. One or more such entries strongly suggest prompt injection or a compromised agent. The tamper-proof hash chain ensures these entries are preserved for incident response. The control plane sees only the URL metadata, never response bodies or credentials.

Install SafeClaw with npx @authensor/safeclaw. The free tier provides 7-day renewable keys, no credit card required. Use simulation mode to test IMDS-blocking policies before enforcing them in production.

Cross-References

AI Agent Security Risks FAQ — IMDS attack vector explained in the FAQ
SafeClaw vs Cloud IAM Comparison — Why cloud IAM alone does not prevent agent SSRF
Simulation Mode Definition — Test network policies without blocking in production
Action Request Format Reference — Network action structure and URL matching
Use Case: CI/CD Pipeline Agent — Securing agents running on cloud infrastructure

Try SafeClaw

Action-level gating for AI agents. Set it up in your browser in 60 seconds.

$ npx @authensor/safeclaw