Curl-url-http-3a-2f-2f169.254.169.254-2flatest-2fapi-2ftoken | Edge |

Standard deployment scripts, configuration management tools (like Ansible or Terraform), and container daemons frequently query this endpoint to configure themselves upon boot. If your logging system tracks URL parameters or command-line arguments in an encoded format, this entry is benign. 2. Reconnaissance and SSRF Attempts

The instance uses that token in an HTTP header to request the actual metadata.

The metadata service has several use cases:

The command curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600" curl-url-http-3A-2F-2F169.254.169.254-2Flatest-2Fapi-2Ftoken

curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600"

The endpoint referenced by curl-url-http-3A-2F-2F169.254.169.254-2Flatest-2Fapi-2Ftoken represents the cornerstone of modern AWS instance security. By mandating a PUT request and a session token, IMDSv2 has drastically reduced the impact of SSRF vulnerabilities.

CloudTrail logs do not capture metadata service calls. Instead, use: Reconnaissance and SSRF Attempts The instance uses that

Instead:

Are you investigating a specific or audit finding? Share public link

If the attacker supplies:

: These represent URL-encoded characters. -3A translates to a colon ( : ), and -2F translates to a forward slash ( / ). When decoded, -3A-2F-2F becomes :// and -2F becomes / . 2. IMDSv1 vs. IMDSv2: Why the Token Matters

To fetch a token using curl , you execute the following command inside your EC2 instance:

This article provides a comprehensive guide on using curl http://169.254.169.254/latest/api/token to authenticate and secure your metadata requests in 2026. What is 169.254.169.254? CloudTrail logs do not capture metadata service calls

: IMDSv2 requires a PUT request to ensure that simple GET-based SSRF vulnerabilities cannot trigger a token generation.

When you see the string curl-url-http-3A-2F-2F169.254.169.254-2Flatest-2Fapi-2Ftoken (which is a URL-encoded version of the path), it refers to this specific two-step process. Step 1: Generate the Token