Code Room
On-callHardoc-g608
Subject Security vulnerability ssrfLevel Senior–Staff~40 minCommon in Security interviewsIndustries Technology, Software development

Question

A bug-bounty researcher demonstrates that your image-import feature (POST /api/import?url=) will fetch any URL the user supplies, including http://169.254.169.254/latest/meta-data/iam/security-credentials/, and returns the response body — meaning anyone can read the EC2 instance role's temporary credentials. Your CloudTrail shows API calls in the last 12 hours from those instance credentials originating from IPs outside AWS. The instance role can read two S3 buckets and a Secrets Manager secret. You're the on-call security engineer. Triage and respond.

What a strong answer looks like

Stop the bleeding first (mitigate), then form hypotheses from real signals. Separate root cause from symptom, communicate status as you go, and close with what prevents a repeat.

Diagram & narrate the incident
Loading whiteboard…
Run or narrate your approach, then ask the coach.