Code Room
On-callHardoc-g149
Subject Security incidentsLevel Senior–Staff~45 minCommon in Security · Reliability & on-call interviewsIndustries Technology, Software development

Question

Your WAF/app logs show a public image-fetch feature ('preview URL') being called with internal/loopback targets: http://169.254.169.254/latest/meta-data/iam/security-credentials/. Shortly after, CloudTrail shows the web tier's instance role making API calls (s3:GetObject across multiple buckets, then sts:GetCallerIdentity) from an external IP that is NOT your infrastructure. The image-preview feature shipped last sprint and fetches any user-supplied URL server-side. How do you triage, contain, and remediate this SSRF-to-credential-theft incident?

What a strong answer looks like

Stop the bleeding first (mitigate), then form hypotheses from real signals. Separate root cause from symptom, communicate status as you go, and close with what prevents a repeat.

Diagram & narrate the incident
Loading whiteboard…
Run or narrate your approach, then ask the coach.