SSRF tricks a server into making requests to internal resources — accessing cloud metadata APIs (AWS IMDS), internal services, or reading local files via the server's perspective.
SSRF in cloud environments can expose IAM credentials via the metadata service (169.254.169.254). AWS IMDSv2 (token-based) mitigates SSRF against the metadata service. SSRF was used in the Capital One breach (2019).