Question
Your 'import from URL' feature (a server-side **PDF/HTML renderer** that fetches a user-supplied link) has an allowlist blocking `169.254.169.254` and RFC1918 ranges. A bug-bounty report shows it was bypassed: the attacker supplied a URL on their own domain that returns an HTTP **302 redirect** to `http://169.254.169.254/latest/meta-data/iam/security-credentials/`, and the renderer followed the redirect (the allowlist only checked the *original* URL, not the redirect target). CloudTrail now shows the renderer host's instance role used from an external IP. How do you triage the blast radius, contain it, and fix the SSRF properly?
Stop the bleeding first (mitigate), then form hypotheses from real signals. Separate root cause from symptom, communicate status as you go, and close with what prevents a repeat.