The correct answer is IMDS Attack. CEH cloud security material explains that cloud instances often obtain temporary credentials from an Instance Metadata Service, commonly called IMDS, which supplies identity and role-based access details to workloads running on the virtual machine. If an attacker gains code execution on the instance, even through a separate web application flaw, the attacker may query the metadata endpoint locally and retrieve temporary credentials associated with the instance role. That is precisely what happens in this scenario: the tester runs a script on the VM, extracts temporary role credentials, and then uses them to enumerate storage and other services within the same cloud account. Wrapping attacks target SOAP message manipulation, while cloud snooper and CP DoS do not match the behavior of harvesting role credentials from local cloud metadata. CEH emphasizes that overprivileged instance roles and exposed metadata access can allow attackers to pivot from a single compromised workload into broader cloud service access. Because the key step is retrieving temporary credentials from the instance metadata service, the best match is IMDS Attack.