Detects access attempts to cloud instance metadata endpoints (e.g., 169.254.169.254) from virtual machines or containerized workloads. This includes both direct access and SSRF exploitation patterns.
| Data Component | Name | Channel |
|---|---|---|
| Network Connection Creation (DC0082) | AWS:VPCFlowLogs | Outbound connection to 169.254.169.254 from EC2 workload |
| Cloud Service Metadata (DC0070) | CloudTrail:GetInstanceIdentityDocument | GetInstanceIdentityDocument |
| Network Traffic Content (DC0085) | ebpf:syscalls | Process within container accesses link-local address 169.254.169.254 |
| Field | Description |
|---|---|
| TimeWindow | Adjust temporal window for correlation of access attempts and SSRF triggers |
| UserContext | Tune based on expected roles that access metadata APIs (e.g., root, service accounts) |
| RequestHeaderMatch | Customize detection for HTTP Host headers indicating SSRF |