The Capital One breach wasn’t done through the too-common open or purely misconfigured S3 bucket. It was a hack that serves as a lesson to anyone who deploys production web apps in the cloud. The hacker exploited a Server-Side Request Forgery Request vulnerability in a Web Application Firewall that targeted a tool that AWS itself provides to its EC2 instances. This tool is called the Instance Metadata service, and it allows an EC2 instance to make an HTTP GET request to the link-local IP 169.254.169.254 to retrieve its own metadata. This metadata can include its own AWS security credentials to gain access to other resources in the victim’s AWS infrastructure.
This is a lesson to anyone who deploys applications on cloud platforms such as AWS. The lesson is that it pays to have more than the minimum-to-deployment knowledge of your cloud provider’s architecture and tools. It’s possible for a team to bring an application all the way to production on EC2 machines in AWS without ever knowing its Metadata service exists. Greater knowledge of your particular cloud provider can help you to consider the extra attack vectors that it may introduce.