* [Blog](https://www2.paloaltonetworks.com/blog)
* [Cloud Security](https://www2.paloaltonetworks.com/blog/cloud-security/)
* [Cloud Computing](https://www2.paloaltonetworks.com/blog/category/cloud-computing-2/)
* Securing Your Metadata fr...

# Securing Your Metadata from Cloud Heists with Prisma Cloud's Attack Path Policies

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fsecure-metadata-attack-path-policies%2F)  
[](https://twitter.com/share?text=Securing+Your+Metadata+from+Cloud+Heists+with+Prisma+Cloud%E2%80%99s+Attack+Path+Policies&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fsecure-metadata-attack-path-policies%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fsecure-metadata-attack-path-policies%2F&title=Securing+Your+Metadata+from+Cloud+Heists+with+Prisma+Cloud%E2%80%99s+Attack+Path+Policies&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www2.paloaltonetworks.com/blog/cloud-security/secure-metadata-attack-path-policies/&ts=markdown)  
\[\](mailto:?subject=Securing Your Metadata from Cloud Heists with Prisma Cloud’s Attack Path Policies)  
Link copied  
By [Kabeer Saxena](https://www.paloaltonetworks.com/blog/author/kabeer-saxena/?ts=markdown "Posts by Kabeer Saxena")  
Sep 26, 2023  
6 minutes  
[Cloud Computing](https://www.paloaltonetworks.com/blog/category/cloud-computing-2/?ts=markdown)  
[Cloud Security](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-security/?ts=markdown)  
[EC2](https://www.paloaltonetworks.com/blog/tag/ec2/?ts=markdown)  
[IAM](https://www.paloaltonetworks.com/blog/tag/iam/?ts=markdown)

Many businesses today rely on cloud computing, and AWS is a significant player in this space. Using AWS, though, can be tricky. If not set up correctly, you can unknowingly create a security risk.

Take, for example, the increasingly prevalent scenario involving an EC2 instance. Far too often an EC2 instance is left accessible to anyone on the internet. And still common, this accessible EC2 instance exists among other misconfigurations --- giving bad actors the opportunity they covet and creating a potential perfect storm for the organization.

In this post, we'll look into these misconfigurations, as well as their risks and mitigation strategies.

## Technical Details of the Attack Path

When left publicly exposed and compounded with other vulnerabilities, an EC2 instance can lead to significant problems. Specifically, an EC2 instance endowed with s3:GetObject and s3:ListObject permissions and lacking the shield of IMDSv2 can result in data exfiltration.

In this trifecta opportunity, attackers exploiting the exposed EC2 instance hit pay dirt. Finding s3:GetObject and s3:ListObject permissions gives them the keys to the bank vault, allowing them to list and retrieve whatever they wish from the specified S3 buckets. In many cases, this means access to sensitive data and "hidden" flags.
![Vulnerable IAM Role with overly permissive S3 access](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/09/word-image-305056-1-2.png)
Figure 1: Vulnerable IAM Role with overly permissive S3 access

### Optional IMDSv2 Configuration

AWS's Instance Metadata Service (IMDS) provides data about EC2 instances. Its enhanced version, IMDSv2, requires session-oriented requests, adding an extra layer of security. In other words, IMDSv2 makes gathering information about the EC2 instance more difficult, which reduces the likelihood of a successful [cyberattack](https://www.paloaltonetworks.com/cyberpedia/what-is-a-cyber-attack).

Conversely, the absence of IMDSv2 opens a nearly unobstructed path to metadata containing insights into the infrastructure of the organization, possibly revealing more vulnerabilities and even direct paths to additional data.
![The AWS console shows an EC2 instance that has public access enabled and indicates that IMDSv2 is optional. There is also an overly-permissive IAM role attached to the EC2 instance.](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/09/word-image-305056-2-1.png)
Figure 2: EC2 with 1. Public Access, 2. IMDSv2 is optional, 3. Attached overly permissive IAM role

As seen in figure 2, security teams need to watch for the combination of three misconfigurations, as they open an entrypoint for attacks ranging from data breach and exfiltration to system takeover as the attacker with liberal access moves laterally through the organization's network.

## High-Volume Data Transfer Activity

High-volume data transfer can signal data exfiltration --- or data theft, the covert and unauthorized extrusion of data, which typically involves sensitive data given its targeted blackmarket value. For organizations, data breach comes with long-term costs in the way of regulatory penalties, legal liabilities, reputational damage and remediation via agreement or voluntary.

Resource owners need to remain vigilant and act swiftly when detecting malicious activity. Without continuous monitoring that can detect relevant anomalies, arresting data exfiltration is left to chance. An aberrant spike in data transfer goes unnoticed.
![Python Script attempting to exfiltrate high-volume data from a cloud resource](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/09/word-image-304897-3-1.png)
Figure 3: Python Script attempting to exfiltrate high-volume data from a cloud resource

## Exploitation and Misuse

Once attackers spot vulnerabilities such as a publicly accessible EC2 instance, they're quick to capitalize on the opportunity. Using an array of sophisticated tools, they can easily infiltrate the system. Permissions like s3:GetObject and s3:ListObject become their gateway.

If a publicly exposed EC2 instance has excessive permissions, any application running on that instance can access the S3 buckets. The real danger lies in the misuse of the instance metadata service (IMDSv), as an attacker can easily extract IAM role credentials associated with the instance.

Attackers often initiate their unauthorized access by infiltrating a publicly exposed EC2 instance through an exposed service or by utilizing search engine dorks to filter and locate public instances. Once inside, attackers usually attempt to exploit vulnerabilities to interact with the metadata service endpoint (for instance, http://169.254.169.254/latest/meta-data).

In scenarios configured to Metadata Service v1 (IMDSv1), the extraction of sensitive information is unencumbered by IMDSv2's protective authentication layer. This exploitation can snowball from a breach to escalated privileges should the breach yield secrets and credentials of the attached IAM roles.

Armed with IAM role credentials, the attacker can make authenticated AWS API requests. If the IAM role has s3:GetObject and s3:ListBucket permissions, they can list and fetch objects from S3 buckets, leading to data exfiltration.
![Extracting AWS credentials by leveraging misconfigurations and exploiting vulnerabilities](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/09/word-image-304897-4-1.png)
Figure 4: Extracting AWS credentials by leveraging misconfigurations and exploiting vulnerabilities

### Mitigation

Protecting digital assets in a cloud environment requires a multilayered approach to address the nuanced vulnerabilities associated with EC2 instances and their associated permissions.

**Step 1**

Never leave EC2 instances publicly accessible by default. Instead, apply the [principle of least privilege (PoLP)](https://www.paloaltonetworks.com/cyberpedia/what-is-least-privilege-access), granting only those permissions required for the user --- machine or human --- to do the job. Judiciously assign and regularly review permissions. In this context, that means s3:GetObject and s3:ListObject.

**Step 2**

Activate IMDSv2. Requiring a valid token to access instance metadata is good security and goes a long way in preventing unauthorized data access.

**Step 3**

Don't skimp on monitoring. Watch for and respond to anomalies in data transfer patterns. Organizations need to consistently track and analyze EC2 data transfer activity.

**Step 4**

Awareness is the first line of defense. Regular security audits, combined with continuous education and training, will help to ensure your teams can both recognize and rectifie potential misconfigurations before they become breaches.

## The Right Security Technology

Effective security begins with the right capabilities. Prisma Cloud offers a robust mechanism to tackle EC2 challenges head-on. With its unique attack path policies, it goes beyond identifying isolated vulnerabilities to connecting the dots, giving users a holistic view with insights into potential attack paths. By offering combined insights, Prisma Cloud enables organizations to not just plug individual gaps but proactively block entire attack vectors.
![Prisma Cloud attack path detection](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/09/word-image-305056-5-2.png)
Figure 5: Prisma Cloud attack path detection

In a dynamic cloud environment, Prisma Cloud's interconnected risk view ensures that security teams can prioritize and remediate the most potent threats, significantly reducing the window of opportunity for attackers.

## Learn More

If you haven't tried Prisma Cloud and would like to test drive best-in-class code-to-cloud security, we'd love for you to experience a free[30-day Prisma Cloud trial](https://www.paloaltonetworks.com/prisma/request-a-prisma-cloud-trial).

*** ** * ** ***

## Related Blogs

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Cloud Native Application Protection Platform](https://www.paloaltonetworks.com/blog/category/cloud-native-application-protection-platforms/?ts=markdown), [Cloud Security](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-security/?ts=markdown), [CNAPP](https://www.paloaltonetworks.com/blog/cloud-security/category/cnapp/?ts=markdown), [Reports](https://www.paloaltonetworks.com/blog/category/reports/?ts=markdown)

[#### Where Cloud Security Stands Today and Where AI Breaks It](https://www2.paloaltonetworks.com/blog/2025/12/cloud-security-2025-report-insights/)

### [AI Security](https://www.paloaltonetworks.com/blog/category/ai-security/?ts=markdown), [AI Security Posture Management](https://www.paloaltonetworks.com/blog/cloud-security/category/ai-security-posture-management/?ts=markdown), [Cloud Security](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-security/?ts=markdown)

[#### Don't Let Inactive AI Models Linger: Reduce Risk and Cost with Cortex Cloud](https://www2.paloaltonetworks.com/blog/cloud-security/cloud-security-inactive-ai-model-risk/)

### [AI Security](https://www.paloaltonetworks.com/blog/category/ai-security/?ts=markdown), [Cloud Runtime Security](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-runtime-security/?ts=markdown), [Cloud Security](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-security/?ts=markdown)

[#### Resilience by Design: Security in the Age of Offensive AI](https://www2.paloaltonetworks.com/blog/cloud-security/resilence-by-design/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Cloud ASM](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-asm/?ts=markdown), [Cloud Security](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-security/?ts=markdown), [CNAPP](https://www.paloaltonetworks.com/blog/cloud-security/category/cnapp/?ts=markdown)

[#### What's New in Cortex Cloud](https://www2.paloaltonetworks.com/blog/cloud-security/attack-surface-dspm-fim/)

### [Cloud Computing](https://www.paloaltonetworks.com/blog/category/cloud-computing-2/?ts=markdown), [Cloud NGFW](https://www.paloaltonetworks.com/blog/network-security/category/cloud-ngfw/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown)

[#### Cloud NGFW is Essential for AWS \& Azure Cloud Traffic Protection](https://www2.paloaltonetworks.com/blog/network-security/cloud-ngfw-is-essential-for-aws-azure-cloud-traffic-protection/)

### [AI Security](https://www.paloaltonetworks.com/blog/category/ai-security/?ts=markdown), [AI Security Posture Management](https://www.paloaltonetworks.com/blog/cloud-security/category/ai-security-posture-management/?ts=markdown), [Artificial Intelligence](https://www.paloaltonetworks.com/blog/cloud-security/category/artificial-intelligence/?ts=markdown), [Cloud Security](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-security/?ts=markdown), [CSPM](https://www.paloaltonetworks.com/blog/cloud-security/category/cspm/?ts=markdown)

[#### The Rise of AI-Powered IDEs: What the Windsurf Acquisition News Mean for Security Teams](https://www2.paloaltonetworks.com/blog/cloud-security/windsurf-openai-acquisition/)

### Subscribe to Cloud Security Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www2.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language