What if you could maintain AWS access indefinitely without creating users or keys? Role chain juggling exploits how assume-role refreshes credential expiration. Chain calls to the same role or cycle between roles to keep access alive.
Can attackers undo your containment actions before they take effect? IAM's eventual consistency creates a 4-second window where deleted creds stay valid. Attackers can detect and remove deny-all policies before propagation completes.
ICYMI: Our latest article covers Daniel Grzelak's research on how AWS error messages can reveal publicly exposed resources, without needing access! We cover how to use them for enumeration and detection.
Can attackers hide GCP projects in plain sight? Apps Script projects create hidden sys-* folders invisible in the console. Attackers can mimic this naming convention to stash service accounts or compute instances where no one looks.
AI agents are becoming identity infrastructure, whether we’re ready or not. While investigating agent controls, the Datadog Security Research Team found that Copilot Studio wasn’t recording certain administrative changes to agents, exposing a potential monitoring blind spot.
Got shell access to an EC2 instance? You can enumerate the AWS account ID using two methods: get-caller-identity if an instance profile exists, or the metadata service at 169.254.169.254. Both reveal the account ID plus useful context like region and instance type.
Got a list of potential corporate emails? You can verify which ones are valid Azure AD accounts without authentication using tools like CredMaster or Quiet Riot. Useful for password spraying or even pivoting to AWS root user testing.
What if an attacker could turn a simple Cognito login into full AWS account access? Misconfigured Identity Pools can grant excessive IAM permissions to anyone who authenticates, even anonymous users. Learn how this exploitation chain works.
EC2 user data scripts often contain hardcoded credentials, despite AWS explicitly warning against it. If you gain access to an instance, check 169.254.169.254/latest/user-... immediately.
Got IAM creds but tired of wrestling with CLI flags? You can spawn an AWS Console session using aws-vault. Temporary creds work directly, long-term creds need sts:GetFederationToken first. Heads up: this is noisy in CloudTrail.
ICYMI: A look at how a familiar container escape pattern shows up in GCP Cloud Workstations. We trace a path from a container to service account.
If you’re using Cloud Workstations, this is a useful model to keep in mind.
Got browser cookies but no AWS credentials? CloudShell has an undocumented metadata endpoint on port 1338 that exposes IAM creds. Load the session cookies, hit the endpoint, and you've got temporary credentials for your tools.
Tens of thousands of EBS snapshots are publicly exposed right now. Unlike most AWS resources, you can list all public snapshots via the API and filter by account ID. Easy recon, zero detection risk.
How do you know what permissions compromised AWS credentials actually have? Brute force them. enumerate-iam tests safe API calls to map your access. Just note: this is loud and will light up CloudTrail.
ICYMI: AI workloads are landing in the same cloud accounts we’ve been breaking into (and defending) for years. It's time for Hacking the Cloud to catch up. We're announcing a call for research! Share your AI and LLM sec research with thousands of readers.
GCP buckets and AWS S3 buckets are nearly identical under the hood. CloudStorageFinder works for both with minimal changes - just swap the endpoint URL. Here's how to hunt for GCP buckets.
AWS Network Firewall checks SNI and Host headers but never verifies the actual destination IP. Attackers can bypass egress filtering by spoofing legitimate domains while routing traffic to malicious IPs.
In case you missed it, did you know Claude models have a "magic string" to test when a model refuses to respond? If that string enters prompt context, it can be abused to break LLM workflows until context is reset.
It's the EICAR test string of the AI age. Details:
Misconfigured GitLab OIDC with AWS IAM roles can lead to unauthorized role assumption. Learn to identify and exploit such vulnerabilities with a step-by-step guide. Stay informed to protect your cloud infrastructure from unauthorized access.
Discover how to enumerate IAM users and roles in AWS without prior access! Through clever techniques like exploiting resource-based policies, you can explore insights across AWS accounts. Harness tools like Quiet Riot for efficient execution. Dive deeper here:
Exploring the impact of misconfigured AWS IAM role trust policies. Learn how wildcard Principals in trust policies can open up roles to any AWS account, posing serious security risks. Are your policies airtight? Dive deeper into this cloud security issue with us!
Discover how a default configuration in Terraform Enterprise can expose sensitive credentials via the Metadata Service. By understanding the nuances of remote execution and Docker in Terraform, you can mitigate potential security risks before they affect your cloud infrastructure.
The 2025 Hacking the Cloud: Year in Review is out! We take a look at the growing tide of software supply chain attacks, discuss the most critical cloud vuln discovered to date, and share some stats for the site!
hackingthe.cloud/blog/2025_wr...
Discover how AWS connection tracking affects security group rules. Once connections are established, they persist even if rules change. Learn how this impacts security, illustrated with EC2 instances and penetration testing scenarios.
Dive into "CI/CDon't", an AWS/GitLab-themed CTF where you can test your security chops on vulnerable infrastructure. Deploy it using Terraform and explore fun, low-difficulty CI/CD challenges. Remember, it's in your AWS account, so handle with care! Check it out:
Learn how to bypass AWS GuardDuty's Tor Client detection on EC2 instances without triggering alerts. By leveraging Tor bridges and using obfs4proxy, you can connect discreetly to the Tor network, maintaining privacy while avoiding unauthorized access warnings. More details here:
New on @hackingthe.cloud, did you know that attackers can prevent you from kicking them out of your environment in certain situations? Eduard Agavriloae shares his research on how attackers can nullify containment attempts!
hackingthe.cloud/aws/post_exp...
Lambda's environment variables hold IAM credentials that attackers can target via file read and SSRF vulnerabilities. They can also extract event data using SSRF exploits. This blog explores practical techniques for exploiting these vulnerabilities in Lambda functions.
