The Instance Metadata Service (IMDS) simplifies credential management on EC2 instances by providing temporary, automatically rotated credentials. This eliminates the need to hardcode or manually distribute sensitive credentials to applications. IMDS runs locally on every EC2 instance and is accessible via the link-local IP address 169.254.169.254. It is also accessible over IPv6 for EC2 instances built on the Nitro System.

The EC2 IMDS provides important information about each individual EC2 instance. This includes several categories of information, such as AMI ID, hostname, associated security groups, instance id, local IPv4, etc

Here's an example of what IAM credentials might look like when retrieved from the EC2 instance metadata:

$ curl http://169.254.169.254/latest/meta-data/identity-credentials/ec2/security-credentials/ec2-instance
{
  "Code" : "Success",
  "LastUpdated" : "2026-04-17T18:20:09Z",
  "Type" : "AWS-HMAC",
  "AccessKeyId" : "ASIAZYX123M4ABCD567E",
  "SecretAccessKey" : "exponentialTHlF2HmgNWsecretRNB2JXexample",
  "Token" : "IQoJb3JpluX2VjEBIaC//////wEQABoMMTzMjUyIgw8uDv8CA7wN9Y0wBwqpwSlpN654xzHp7mGsZ9gz5J8uoo2xJqG3Bc7C/1TAFZyEiSz0cN...",
  "Expiration" : "2026-04-18T00:45:39Z"
}

Note: The above curl request uses IMDSv1, as it does not include a session token in the request header.

Server-side request forgery (SSRF) and the Instance Metadata Service

An attacker exploiting a Server-Side Request Forgery (SSRF) vulnerability can trick an application into making requests to the instance metadata endpoint (169.254.169.254). If IMDSv1 is enabled, this can allow the attacker to retrieve IAM credentials associated with the instance.

Recently, Mandiant identified a threat actor using a known vulnerability, CVE-2021-21311, to steal IAM credentials from EC2 instances using the metadata service post-compromise. [1]

IMDSv2 mitigates this risk by requiring a session token in request headers, which typical SSRF vulnerabilities cannot easily provide.

IMDSv2

With IMDSv2, access to instance metadata is protected using session-based authentication. A session begins when a client requests a temporary token using a PUT request. This token must then be included in the header of all subsequent requests to access metadata.

This approach ensures that only requests originating from within the instance can successfully retrieve metadata, significantly reducing the risk of SSRF-based attacks.

For example, this curl recipe retrieves a session token that’s valid for the full six hours (21600 seconds) and then uses that token to access the EC2 instance’s profile metadata:

TOKEN=$(curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600")

curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/identity-credentials/ec2/security-credentials/ec2-instance

Output:
{
  "Code" : "Success",
  "LastUpdated" : "2026-04-17T18:42:35Z",
  "Type" : "AWS-HMAC",
  "AccessKeyId" : "ASIAZYX123M4ABCD567E",
  "SecretAccessKey" : "exponentialC/wmIczuv7CGuOmm8iXPSCexample",
  "Token" : "IQoJb3JpZ2luTEiSDBGAiEA9+W761PO/4SOcqcQ3Ty4PsnK4WsSzEZP6WgCIQD4+koxgcjdEPnL9whM0R0TyZdjhFPY5cfBirTBAjc//////////8rxcf1/OykGpvb46+VEIFL+5...",
  "Expiration" : "2026-04-18T01:06:48Z"
}

Note: The above curl request uses IMDSv2, as it includes the session token in the request header.

IMDSv1 vs IMDSv2

There are two versions of the Instance Metadata Service: IMDSv1 and IMDSv2.

IMDSv1 is a simple request and response protocol. When you make a request to the IMDS from the EC2 instance, you receive the result of your request. There are no additional parameters to be passed. Because of this, IMDSv1 is a perfect candidate for SSRF attacks.

IMDSv2, on the other hand, is session-oriented. This means that, before making a request to the IMDS, you must first create a session token with a PUT request and pass it along in subsequent requests inside a header. This provides an additional security benefit, as an adversary is unlikely to be able to set a request header via SSRF. IMDSv2 can be enforced during instance creation by configuring the Instance Metadata Options to require session tokens.

How to enable IMDS during Instance creation

While creating the instance, In the Advanced Details you can configure Instance metadata options

How to Verify IMDS Version in AWS EC2

Two ways:

1. Console
   In the EC2 console, navigate to:
   EC2 → Instances → Select your instance id

   

   HttpTokens = required → IMDSv2 is enforced (IMDSv1 disabled)
   HttpTokens = optional → Both IMDSv1 and IMDSv2 are allowed

2. CLI
   When IMDS v2 is enabled

   $ aws ec2 describe-instances --instance-ids i-0f581c1c90fc521c2 --query "Reservations[].Instances[].MetadataOptions.HttpTokens" --output table
   -------------------
   |DescribeInstances|
   +-----------------+
   |  required       |
   +-----------------+
   

   When IMDS v1 is enabled

   $ aws ec2 describe-instances --instance-ids i-0ef0ce715ba1fc912 --query "Reservations[].Instances[].MetadataOptions.HttpTokens" --output table
   -------------------
   |DescribeInstances|
   +-----------------+
   |  optional       |
   +-----------------+
   

How to Modify Instance Metadata

1. Console

   

2. CLI
   To transition from IMDSv1 to IMDSv2

   $ aws ec2 modify-instance-metadata-options --instance-id i-0ef0ce715ba1fc912 --http-endpoint enabled --http-tokens required
   {
       "InstanceId": "i-0ef0ce715ba1fc912",
       "InstanceMetadataOptions": {
           "State": "pending",
           "HttpTokens": "required",
           "HttpPutResponseHopLimit": 2,
           "HttpEndpoint": "enabled",
           "HttpProtocolIpv6": "disabled",
           "InstanceMetadataTags": "disabled"
       }
   }
   

   To transition from IMDSv2 to IMDSv1

   $ aws ec2 modify-instance-metadata-options --instance-id i-0ef0ce715ba1fc912 --http-endpoint enabled --http-tokens optional
   

   HttpTokens = required → IMDSv2 is enforced (IMDSv1 disabled)
   HttpTokens = optional → Both IMDSv1 and IMDSv2 are allowed

   To disable IMDS

   $ aws ec2 modify-instance-metadata-options --instance-id i-0ef0ce715ba1fc912 --http-endpoint disabled
   

Enforcing IMDSv2 is a simple yet effective step to improve the security posture of your EC2 instances, especially in environments where applications may be exposed to untrusted input.

References

[1] Google Cloud – Cloud Metadata Abuse (UNC2903 Case Study)
https://cloud.google.com/blog/topics/threat-intelligence/cloud-metadata-abuse-unc2903/

[2] Amazon Web Services – Configure Instance Metadata Service
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html

[3] Amazon Web Services – IMDSv2 on Amazon Linux 2023
https://docs.aws.amazon.com/linux/al2023/ug/imdsv2.html

[4] Amazon Web Services Security Blog – SSRF and IMDS Protection
https://aws.amazon.com/blogs/security/defense-in-depth-open-firewalls-reverse-proxies-ssrf-vulnerabilities-ec2-instance-metadata-service/

[5] Datadog Security Labs – IMDS Misconfiguration Spotlight
https://securitylabs.datadoghq.com/articles/misconfiguration-spotlight-imds/

• No way to instantly message your friends or see what’s trending on social media.

• No ability to stream music, attend virtual classes, or play online games.

• No quick access to information, collaboration tools, or even emailing for work or school.

• Forget about video calls with loved ones across the world

Well, that's the world without computer networks.

Why Learn Computer Networks?

Simple answer: to do all the things we couldn’t do in a world without them.

Whether it’s browsing the web, sending messages, working remotely, streaming videos, or making video calls, computer networks are the backbone that make modern life seamless and connected. Every device—laptop, desktop, smartphone, smartwatch, or tablet—is a different form of a computer.

Regardless of your career path—whether you're a Software Development Engineer (SDE), Big Data Engineer, Network Engineer, or any other role in tech—understanding computer network fundamentals is essential.

Learning computer networks means understanding the hidden “plumbing” that powers our digital world.

OSI Model ( Open-Systems-Interconnection )

Also referred to as a reference model, this model provides a high-level overview of how data is transmitted from one computer to another.

• Anything that is a part of the network that wants to communicate is called a Host.

• The server is a special type of computer. It is also a Host when receiving data from clients. The server is something that a host receives data from.

• The OSI Model was finalized between the 1970s and 1980s. And it is a reference model, which means it acts as a reference guide to implement or form the network in the real world.

• Based on the OSI model, the exact model that is implemented in the real world is the TCP/IP Model.

• The OSI Model has 7 different layers. And each layer has a bunch of protocols that need to be followed to implement a network in the real world.

• Protocols — A set of rules that everyone needs to agree upon.

Philosopher - Translator - Secretary Architecture

OSI model is based on the architecture of philosopher-translator-secretary.

In this architecture, there are two philosophers (A and B) in different locations, and they don’t speak the same language and want to transmit a message. So, some steps need to be followed by both to successfully send the message.

• Philosopher A gives the message to his secretary, and the secretary will convert the message into a common language that can be understood by the secretary in both locations.

• Then the converted message will be sent through Fax to Location B. And the secretary in location B will understand the message and pass it to the philosopher in the language the philosopher understands.

So, this way communication happens in this architecture. So, the same is followed in the OSI Model. Each layer states the different protocols that need to be followed for the successful transmission of the message.

Now, let’s look at the different layers in the OSI Model

Now, let’s briefly look at what each layer is,

Application Layer (Layer 7)

• Browser → HTTPS / FTP (File Transfer Protocol)

• Outlook → SMTP (Simple Mail Transfer Protocol)

• Skype → Skype protocol

• Remote Desktop → Telnet for Unix-based systems), RDP (Remote Desktop Protocol)

The application layer has a bunch of protocols that are used for various tasks. Outlook uses SMTP for mail transfers and HTTPS to fetch a web page securely.

Presentation Layer (Layer 6)

The presentation layer is mostly responsible for

• Translation

  Translates data received from the application layer into the form of ASCII or binary

  • e.g

    • Data: Hello o ASCII: 72 101 108 108 111

    • Binary: 01001000 01100101 01101100 01101100 01101111

• Data Compression

  Suppose after translation we get 1MB of Data. So, Data Compression tries to reduce the size of the data without much loss because the less the size is the faster transmission can happen over the network.

• Encryption

  Encrypts the data so that it can’t be misused. HTTPS uses SSL (Secure Socket Layer), which is a cryptographic protocol designed to provide communications security over a computer network.

Session Layer (Layer 5)

• Establish, manage, and terminate connections.

  • Establishment of a connection means making a connection in which both server and client have agreed to transfer the data.

  • Managing connection states, getting knowledge of the connections that were established, and the data transfer can be done effectively.

  • In terminating the connection, after the data transfer completes then the connection must be terminated.

• Authentication and Authorization

  • Authentication: validation of the user ID and password

  • Authorization: whether a user has permission to access a file or not

• An example of a session is a login and a logout

Transport Layer (Layer 4)

1. Segmentation

   Data is broken into segments to transfer one chunk at a time, i.e., manageable. A general segment has Source IP, Destination IP, and Data (of the segment)

   

2. Flow Control

   Managing the flow of data transmitted from one host to another host. The server is sending 10Mbps, but the host is not able to process. So, it requests the server to transmit 1Mbps transfer rate.

   

3. Error Control

   There can be a loss of data or data might be corrupted. So, we use error control. These can be fixed in the Transport layer by something called Automatic Repeat Request (in case of loss of data receiver will ask to resend the data) or checksum (checks if the data is corrupted or not).

   

Network Layer (Layer 3)

The network layer’s main task is to recognize the network through which the data must be transmitted. It has something called packets. Each packet has a segment, which is received from the above layer and is encapsulated with a header in which we have source and destination addresses. We include the IP address in the TCP packet. Logical Addressing (IP Address).

What is an IP address?

• Range of IP address: 0.0.0.0 to 255.255.255.255

• It is the address that the network system has uniquely identified. It is a 32-bit or 4-byte address in IPv4, and each byte has an address range of 0-255, called an octet.

• So, the task of the network layer is to provide the IP address to each host. And it also does Routing.

What is Routing?

The task of Routing is to route the packet from the source to the destination.

How do routers do that?

We have destination address it does Masking Masking is a simple bit wise operation. The router sets some bits to 0 and performs a bitwise AND operation, and after masking on the destination IP address, it will get the network IP address.

Now, with the help of the IP address, it will decide the next router for the packet it has to send.

DNS (Domain Name System) is used to connect a hostname like amazon.com to its IP address.

Data Link Layer (Layer 2)

• The MAC Address is also called a physical address because it contains the address of the physical network device from which the data is going to be transmitted.

• It is assigned to the network devices, such as NIC (Network Interface Card), Wi-Fi Card, USB Wi-Fi Dongle, etc., by the manufacturer.

• The packet received from the network layer Data Link Layer encapsulates that with source and destination MAC addresses and creates something called, frame.

  

• But Why MAC Address?

  The MAC Address helps us to uniquely identify the device. If a packet is received, it helps us to determine which device it belongs to.

Apart from all these Data Link Layer does a few other things, such as

1. Access to Media: Media like (Copper wire, Fiber optic cable, Wireless). Since it has access to all these, it can detect Congestion, Error, Collision, etc.

2. Media Access Control

   Media does not mean audio, video. Here, media means the medium through which the data is transferred. DLL helps to control the medium, such as when to transmit the data.

   • If Multiple hosts are connected to the same router, all the hosts cannot send packets at the same time. MAC ensures avoids collisions.

     

3. Error Detection

   It is added in the tail part; It is the mechanism to detect any error in the data. Some algorithms, like CRC (Cyclic redundancy check), Checksum, Bit Parity, etc., help us do that.

Physical Layer (Layer 1)

The physical layer deals with the encoding of the stream of bits into the signals. These signals are categorized based on the media (or medium).

The physical layer’s job is to transmit bits to a signal based on the medium used.

TCP vs UDP

OSI Model vs TCP/IP

• O(n²) Time Complexity in all cases.

• Does less “Memory writes” when compared with other algorithms such as Quick sort, Merge sort, Insertion sort and Bubble sort.

• However, not an optimal algorithm in terms of “Memory writes”. There is other algorithm called Cycle sort which is optimal in terms of memory writes.

• Basic idea for Heap sort.

• Not Stable (order of elements may change).

• In-Place Algorithm

Idea

• Iterate through loop

• First iteration, find the minimum element and put it in the first place.

• Second iteration, find the minimum element and put it in the second place.

• Repeat this process, at the end the array is sorted.

Code

Time Complexity

The internal for-loop runs:

$$\begin{align*} (n-1) + (n-2) + \dots + 2 + 1 \\ = \frac{n(n-1)}{2} \\ \theta(n^2) \end{align*}$$

Traditional IT Overview

IT Terminology

Network

Cables, routers and servers connected with each other.

Router

A networking device that forwards data packets between computer networks. They know where to send your packets on the internet.

Switch

Takes a packet and send it to the correct server / client on your network.

Problems with traditional IT approach

• Pay for the rent for the data centre

• Pay for power supply, cooling, maintenance

• Adding and replacing hardware takes time

• Scaling is limited

• Hire 24/7 team to monitor the infrastructure

• How to deal with disasters (earthquake, power shutdown, fire, …)

What is Cloud Computing?

• Cloud computing is the on-demand delivery of compute power, database storage, applications, and other IT resources

• Through a cloud services platform with pay-as-you-go pricing

• You can provision exactly the right type and size of computing resources you need

• You can access as many resources as you need, almost instantly

• Simple way to access servers, storage, databases and a set of application services

• Amazon Web Services owns and maintain the network-connected hardware required for these application services, while you provision and use what you need via a web application

The Deployment Models of the Cloud

The Five Characteristics of Cloud Computing

1. On-demand self service:

   Users can provision resources and use them without human interaction from the service provider

2. Broad network access:

   Resources available over the network, and can be accessed by diverse client platforms

3. Multi-tenancy and resource pooling:

   • Multiple customers can share the same infrastructure and applications with security and privacy

   • Multiple customers are serviced from the same physical resources

4. Rapid elasticity and scalability:

   • Automatically and quickly acquire and dispose resources when needed

   • Quickly and easily scale based on demand

5. Measured service:

   Usage is measured, users pay correctly for what they have used

Six Advantages of Cloud Computing

1. Trade capital expense (CAPEX) for operational expense (OPEX)

   • Pay On-Demand: don’t own hardware

   • Reduced Total Cost of Ownership (TCO) & Operational Expense (OPEX)

2. Benefit from massive economies of scale

   Prices are reduced as AWS is more efficient due to large scale

3. Stop guessing capacity

   Scale based on actual measured usage

4. Increase speed and agility

5. Stop spending money running and maintaining data centres

6. Go global in minutes: leverage the AWS global infrastructure

Problems solved by the Cloud

• Flexibility: change resource types when needed

• Cost-Effectiveness: pay as you go, for what you use

• Scalability: accommodate larger loads by making hardware stronger or adding additional nodes

• Elasticity: ability to scale out and scale-in when needed

• High-availability and fault-tolerance: build across data centres

• Agility: rapidly develop, test and launch software applications

Types of Cloud Computing

Infrastructure as a Service(IaaS)

• Provide building blocks for cloud IT

• Provides networking, computers, data storage space

• Highest level of flexibility

• Easy parallel with traditional on-premises IT

Ex: Amazon EC2(AWS), GCP, Azure, Rackspace, Digital Ocean, Linode

Platform as a Service(PaaS)

• Removes the need for your organizationo to manage the underlying infrastructure

• Focus on the deployment and management of your applications

Elastic Beanstalk(AWS), Heroku, Google App Engine(GCP), Windows Azure(Microsoft)

Software as a Service(SaaS)

• Completed product that is run and managed by the service provider

On-premises vs Iaas vs Paas vs Saas

AWS Cloud Overview

AWS Regions

• AWS has Regions all around the world

• Names can be us-east-I, eu-west-3, …

• A region is a cluster of data centers

• Most AWS services are region-scoped

How to choose an AWS Region?

• Compliance with data governance and legal requirements: data never leaves a region without your explicit permission

• Proximity to customers: reduced latency

• Available services within a Region: new services and new features aren’t available in every Region

• Pricing: pricing varies region to region and is transparent in the service pricing page

AWS Availability Zones

• Each region has many availability zones. (usually3, min is 3, max is 6). Example:

  • ap-southeast-2a

  • ap-southeast-2b

  • ap-southeast-2c

• Each availablity zone (AZ) is one or more discrete data centers with redundant power, networking, and connectivity

• They’re separate from each other, so that they’re isolated from disasters

• They’re connected with high bandwidth, ultra-low latency networking

AWS Points of Presence (Edge Locations)

• Amazon has 400+ Points of Presence (400+ Edge Locations & 10+ Regional Caches) in 90+cities across 40+ countries

• Content is delivered to end users with lower latency

The purpose of useState is to handle reactive data. Any data that changes in the application is called state. When the state changes you want react to update the UI, so the latest changes are reflected to the end user.

How to use it?

const [count, setCount] = useState(0)

useState() returns an array with 2 values:

1. Current state

   In our example, count is the state variable which is set to 0. This initial state can be a number, boolean, string, or object

2. Set function to update the state.

   You can update the state in two ways:

   i. Directly passing the next state setCount(2) // Now, the updated state of

   count will be 2.

   ii. Using function setCount( prevCount => prevCount + 1) In this function, we check the current state which is 2. The value of prevCount will be 2, then

   we increment it by 1.

Docs:https://react.dev/reference/react/useState#usage

useEffect()

useEffect is a Hook in React that allows you to synchronise a component with an external system. It is a way to handle side effects, such as fetching data or subscribing to a event in a functional component.

How to use it?

useEffect(() => {
    console.log('count changed')
},[count])

Here, the `count changed ` will be logged every time the count changes.

useEffect takes two arguments:

1. A callback function

   The callback function is called after the component has rendered.

2. A list of dependencies

   The list of dependencies is used to determine when to re-run the effect, by comparing the current values of the dependencies to the previous values.

In the callback function, you can perform any side effects, such as fetching data or subscribing to an event. You can also return a cleanup function, which is called before the component is unmounted or the effect is re-run.

Note:

1. If you don’t pass dependencies the effect will re-run on every render of component.

2. When state variables are used in useEffect , make sure to include in dependency array.

3. Make sure to handle side effects, with a cleanup function.

Docs:https://react.dev/reference/react/useEffect#reference

useContext()

useContext is a way to manage state globally without passing props down through multiple levels of the component tree.

The Problem

Prop Drilling: Prop drilling refers to the process of passing down props through multiple layers of components, even when some of those components do not directly use the props. We can solve this problem using useContext()

How to use it?

Three things to understand:

1. Creating context

    const EmailContext = React.createContext(null);
   

2. Provide a value for the context using ContextName.Provider

    function App() {
        const value = { email: "in.mohsin@outlook.com" };
   
        return (
          <EmailContext.Provider value={value}>
            <Child />
          </EmailContext.Provider>
        );
    }
   

3. Use useContext() in the component that needs to consume the context

    function Child() {
        const context = useContext(EmailContext);
        return <div>The email is: {context.email}</div>;
    }
   

When the context value is updated by the provider, the component consuming the context re-renders automatically. This allows the component to always have the latest data.

Docs:https://react.dev/reference/react/useContext#usage