DET0001 Detect Access to Cloud Instance Metadata API (IaaS)

Item	Value
ID	DET0001
Version	1.0
Created	21 October 2025
Last Modified	21 October 2025

Technique Detected: T1552.005 (Cloud Instance Metadata API)

Analytics

IaaS

AN0001

Detects access attempts to cloud instance metadata endpoints (e.g., 169.254.169.254) from virtual machines or containerized workloads. This includes both direct access and SSRF exploitation patterns.

Log Sources

Data Component	Name	Channel
Network Connection Creation (DC0082)	AWS:VPCFlowLogs	Outbound connection to 169.254.169.254 from EC2 workload
Cloud Service Metadata (DC0070)	AWS:CloudTrail	GetInstanceIdentityDocument
Network Traffic Content (DC0085)	ebpf:syscalls	Process within container accesses link-local address 169.254.169.254

Mutable Elements

Field	Description
TimeWindow	Adjust temporal window for correlation of access attempts and SSRF triggers
UserContext	Tune based on expected roles that access metadata APIs (e.g., root, service accounts)
RequestHeaderMatch	Customize detection for HTTP Host headers indicating SSRF