Code Room
On-callHard
Question
A bug-bounty researcher demonstrates that your image-import feature (POST /api/import?url=) will fetch any URL the user supplies, including http://169.254.169.254/latest/meta-data/iam/security-credentials/, and returns the response body — meaning anyone can read the EC2 instance role's temporary credentials. Your CloudTrail shows API calls in the last 12 hours from those instance credentials originating from IPs outside AWS. The instance role can read two S3 buckets and a Secrets Manager secret. You're the on-call security engineer. Triage and respond.
What a strong answer looks like
Stop the bleeding first (mitigate), then form hypotheses from real signals. Separate root cause from symptom, communicate status as you go, and close with what prevents a repeat.
Learn the concepts
Loading whiteboard…
Run or narrate your approach, then ask the coach.