Back to all scenarios
Scenario #274
Security
Kubernetes v1.22, AWS

Unauthorized Cloud Metadata API Access

A pod was able to access the EC2 metadata API and retrieve IAM credentials due to open network access.

Find this helpful?
What Happened

A compromised pod accessed the instance metadata service via the default route and used the credentials to access S3 and RDS.

Diagnosis Steps
  • 1Analyzed cloudtrail logs for unauthorized S3 access.
  • 2Found requests coming from node metadata credentials.
  • 3Matched with pod’s activity timeline.
Root Cause

Lack of egress restrictions from pods to 169.254.169.254.

Fix/Workaround
• Restricted pod egress using network policies.
• Enabled IMDSv2 with hop limit = 1 to block pod access.
Lessons Learned

Default cloud behaviors can become vulnerabilities in shared nodes.

How to Avoid
  • 1Secure instance metadata access.
  • 2Use IRSA (IAM Roles for Service Accounts) instead of node-level credentials.
Previous ScenarioNext Scenario