AWS Identity Attacks target misconfiguration and weaknesses in IAM (Identity and Access Management) settings. Common vectors include compromised access keys, leaked credentials, or abuse of over-permissive IAM policies. Attackers often exploit wildcard permissions (*) to gain unauthorized access to services or escalate privileges. Misconfiguration IAM roles and trust policies can allow external entities to assume sensitive roles via STS. Credential exposure through public GitHub repos is a frequent entry point for attackers. Session hijacking and abuse of temporary credentials can result in short-term but powerful access. Cloud Formation templates can be weaponized to inject backdoor IAM roles or policies. Attackers may use APIs to enumerate users, groups, and policies for further exploitation. Lack of MFA and stale IAM accounts increase the risk of identity compromise. Proper IAM hygiene, least-privilege principles, and CloudTrail monitoring are critical defenses. Identity-Related Attacks in AWS: Detection, Hunting Techniques & Recommendations.
In the era of cloud computing, identity-based attacks have become one of the most prevalent and critical threats to organizations. AWS cloud environments heavily rely on Identity and Access Management (IAM) to control access and permissions across services, making identity-based attacks a primary target for cyber adversaries. This blog explores different types of identity-related attacks in AWS, necessary log sources for detection, hunting techniques, and key recommendations to strengthen cloud security posture.
Types of Identity Attacks in AWS
Identity attacks in AWS typically revolve around unauthorized access, privilege escalation, or abuse of IAM roles. Below are the most common types of identity-related attacks:
AWS Identity Attacks
| Attack Type | Description | Potential Impact |
| 1. Credential Compromise | Leaked or phished IAM user credentials (access key & secret). | Unauthorized access to AWS environment. |
| 2. Over-permissive IAM Policies | Use of wildcards (*) in IAM policies grants excessive privileges. | Full control, lateral movement, escalation. |
| 3. AssumeRole Abuse | Exploiting trust relationships to assume roles across accounts. | Cross-account access, privilege escalation. |
| 4. IAM Trust Policy Misconfig | Trust policies allow unintended principals to assume roles. | Unauthorized access across services/accounts. |
| 5. Session Token Hijacking | Temporary credentials (from STS or SDKs) stolen and reused. | Temporary but powerful unauthorized access. |
| 6. MFA Not Enforced | Users log in without Multi-Factor Authentication. | Easy credential compromise via brute force/phishing. |
| 7. Privilege Escalation via Policy | Low-privileged user escalates to admin via permission misuse (e.g., attaching policies). | Admin-level access gained from a basic role. |
| 8. IAM User Enumeration | Attackers use error messages to discover usernames or roles. | Precursor to targeted brute-force attacks. |
| 9. Malicious IAM Role Creation | Attacker creates roles with elevated privileges. | Persistent access & post-exploitation control. |
| 10. Stale IAM Credentials | Old unused keys remain active and unnoticed. | Easy entry point for adversaries. |
| 11. CloudFormation Policy Injection | Malicious template provisions over-permissive roles/policies. | Persistent IAM backdoors during deployment. |
| 12. IAM Policy Version Exploitation | Abuse of older policy versions to revert security changes. | Restoration of previous over-permissive access. |
| 13. Abuse of EC2 Instance Profile | Misuse of instance metadata service to obtain IAM role credentials. | Lateral movement via EC2 metadata access. |
| 14. Attaching Policies to Other Roles | Privileged user attaches custom policies to escalate permissions. | Expansion of access rights. |
| 15. Use of Default IAM Roles | Default roles with excessive permissions are not removed or restricted. | Unintended full access to services. |
| 16. IAM Inline Policy Abuse | Inline policies are misused to grant hidden or temporary permissions. | Hidden privilege escalation path. |
| 17. Role Chaining | Chaining multiple role assumptions to evade detection. | Complex, hard-to-trace lateral movement. |
| 18. IAM Access Analyzer Bypass | Deliberately avoiding triggering IAM Access Analyzer findings. | Stealthy persistence without detection. |
| 19. API Gateway Impersonation | APIs call backend services using elevated IAM roles. | Backend compromise via trusted role misuse. |
| 20. Shared Credential Exploitation | Credentials reused across systems or shared within teams. | Easy for adversaries to pivot once any account is compromised. |
Hunting AWS Identity Attacks
| # | Attack Name | MITRE Technique (Cloud) | Log Source | Attribute for Hunting |
| 1 | Compromised IAM User Credentials | T1078.004 – Valid Accounts: Cloud Accounts | CloudTrail, IAM, CloudWatch | ConsoleLogin, SourceIPAddress, UserAgent, AccessKeyId |
| 2 | Privilege Escalation via IAM Policy | T1484.001 – Domain Policy Modification | CloudTrail | PutUserPolicy, AttachUserPolicy, PutRolePolicy |
| 3 | Unauthorized AssumeRole Usage | T1078.004 – Valid Accounts | CloudTrail, STS Logs | AssumeRole, RoleArn, SourceIdentity, UserIdentity.type |
| 4 | Over-permissive Policy Deployment | T1484.001 | CloudTrail | PutPolicy, CreatePolicy, PolicyDocument with *:* |
| 5 | API Enumeration | T1087.004 – Account Discovery | CloudTrail | ListUsers, ListRoles, ListPolicies, GetAccountAuthorizationDetails |
| 6 | Abuse of EC2 Instance Role | T1557.001 – Adversary-in-the-Middle | VPC Flow Logs, CloudTrail | 169.254.169.254, GetCallerIdentity, sts:AssumeRole |
| 7 | Role Trust Policy Tampering | T1556.001 – Modify Authentication Process | CloudTrail | UpdateAssumeRolePolicy, PutRolePolicy |
| 8 | Creation of Backdoor IAM User | T1136.003 – Create Account | CloudTrail | CreateUser, AttachUserPolicy, CreateAccessKey |
| 9 | Use of Stale Access Keys | T1078.004 | IAM Access Analyzer, CloudTrail | AccessKeyAge, LastUsedDate, anomalies in AccessKeyId usage |
| 10 | Lack of MFA for Privileged Accounts | T1556.006 – Revert Cloud Configuration | IAM, CloudTrail, Config | ConsoleLogin without MFAUsed=true, non-compliant accounts |
| 11 | Chaining Role Assumptions | T1078.004 | STS Logs, CloudTrail | Multiple AssumeRole in sequence, sourceIdentity correlation |
| 12 | Session Token Replay | T1070.004 – Indicator Removal on Host | CloudTrail | Reused sessionToken across geographies or IPs |
| 13 | Inline Policy Injection | T1484.001 | CloudTrail | PutUserPolicy, PutGroupPolicy with over-permissive actions |
| 14 | Disabling CloudTrail or Logging | T1562.008 – Disable Cloud Monitoring | CloudTrail, CloudWatch Logs | StopLogging, DeleteTrail, PutMetricFilter |
| 15 | Enumeration via SDK/API Keys | T1087.004 | CloudTrail | Unusual sequence of List* and Describe* API calls |
| 16 | IAM Role Creation with Broad Access | T1136.003 | CloudTrail | CreateRole + PutRolePolicy with * permissions |
| 17 | Reuse of Shared Access Keys | T1078.004 | CloudTrail, IAM | Same AccessKeyId used from different IPs or regions |
| 18 | IAM User without Activity Alert | T1082 – System Information Discovery | CloudTrail, Config | No activity in 90+ days, still active access keys |
| 19 | Temporary Token Abuse | T1078.004 | CloudTrail, STS Logs | Use of session credentials for privilege escalation |
| 20 | IAM Role Deletion After Backdoor Setup | T1562.006 – Indicator Removal | CloudTrail | DeleteRole, DetachRolePolicy right after role creation |
| 21 | Unauthorized Console Login Attempts | T1078 – Valid Accounts | CloudTrail | eventName = ConsoleLogin | errorMessage = Failed authentication | userIdentity.type = IAMUser |
| 22 | Root Account Usage | T1078 – Valid Accounts | CloudTrail | userIdentity.type = Root| eventName = ConsoleLogin | MFA = False (No MFA Enabled) |
| 23 | Creating New IAM Users | T1136 – Create Account | CloudTrail | eventName = CreateUser | userIdentity.arn | requestParameters.userName |
| 24 | Access Key Creation | T1528 – Steal Application Access Token | CloudTrail | eventName = CreateAccessKey | userIdentity.userName | accessKeyId |
| 25 | API Calls from Unusual Locations | T1021 – Remote Services | CloudTrail & VPC Flow Logs | sourceIPAddress (Unusual Locations) | userIdentity.arn | eventName = ConsoleLogin or API Calls |
| 26 | S3 Bucket Policy Changes | T1196 – Modify Cloud Compute Infrastructure | CloudTrail | eventName = PutBucketPolicy| requestParameters.bucketName | requestParameters.policy |
| 27 | Modifying Security Group Rules | T1196 – Modify Cloud Compute Infrastructure | CloudTrail | eventName = AuthorizeSecurityGroupIngress | requestParameters.groupId | requestParameters.ipPermissions |
| 28 | Deleting IAM Roles | T1098 – Account Manipulation | CloudTrail | eventName = DeleteRole | userIdentity.userName | requestParameters.roleName |
| 29 | Detaching Policies from IAM Roles | T1098 – Account Manipulation | CloudTrail | eventName = DetachRolePolicy | requestParameters.policyArn | requestParameters.roleName |
| 30 | Creating Temporary Access Tokens | T1528 – Steal Application Access Token | CloudTrail | eventName = GetSessionToken | requestParameters.durationSeconds | sourceIPAddress |
| 31 | Unauthorized EC2 Key Pair Creation | T1098 – Account Manipulation | CloudTrail | eventName = CreateKeyPair | userIdentity.arn | keyName |
| 32 | Lambda Function Permission Modification | T1196 – Modify Cloud Compute Infrastructure | CloudTrail | eventName = AddPermission | requestParameters.functionName | requestParameters.principal |
| 33 | CloudTrail Encryption Key Deletion | T1485 – Data Destruction | CloudTrail | eventName = ScheduleKeyDeletion | keyId | userIdentity.arn |
| 34 | Access Denied API Calls | T1078 – Valid Accounts | CloudTrail | errorMessage = Access Denied | userIdentity.arn |
| 35 | CloudWatch Alarm Disabling | T1562.006 – Indicator Blocking | CloudTrail | eventName = DisableAlarmActions |
| 36 | Cross-Account Access Grant | T1550.002 – Use Alternate Authentication Material | CloudTrail | eventName = AssumeRole | requestParameters.roleArn |
These entries provide a hunting-first approach where analysts can map detection efforts directly to MITRE
Recommendations to Mitigate Identity Attacks
- Enforce Multi-Factor Authentication (MFA) for all users, especially root accounts.
- Implement least privilege access policies by defining fine-grained permissions.
- Enable AWS GuardDuty to automatically detect abnormal identity-based activities.
- Regularly audit IAM policies and remove unused roles or permissions.
- Enable CloudTrail Logging across all AWS regions and set up log integrity validation.
- Configure CloudWatch Alarms for critical IAM events such as user creation or role assumption.
- Use AWS Config rules to monitor security configurations and ensure compliance.
Conclusion
AWS Identity attacks pose a significant threat to AWS cloud environments. By leveraging native AWS logging capabilities, threat hunting techniques, and best practices, organizations can enhance their detection and response capabilities. Building a Zero Trust Identity Model combined with proactive log monitoring and continuous IAM audits will help mitigate risks and strengthen the overall cloud security posture.
