Type to search across all pages
AWS misconfigurations are the #1 attack vector we find in product security assessments. These deep dives cover IAM, EC2, Lambda, App Runner, and cloud-native attack paths.
14 articles
A walkthrough of how a malicious public AMI can embed a reverse shell backdoor that calls home when a victim launches an EC2 instance from it, giving attackers access to the victim's instance role.
Part 2 of the IAM misconfiguration series: exploiting overly permissive CreatePolicyVersion permissions to escalate privileges and gain access to sensitive AWS resources like S3.
What happens when an attacker gains remote code execution in an AWS App Runner container — a research walkthrough of pivoting from RCE to stealing secrets from AWS Secrets Manager.
How attackers exploit AWS IAM misconfigurations — starting with a misconfigured AssumeRole policy — to perform privilege escalation and move laterally through cloud environments.
A bug bounty story of using GitHub dorks to find exposed AWS credentials in public repositories, then exploiting them to gain root access to an EC2 instance.
An introduction to AWS Lambda security vulnerabilities — insecure code, over-permissive roles, and serverless-specific attack vectors — explored hands-on using the ServerlessGoat vulnerable app.
Slides, video, and Q&A from an OWASP Bay Area webinar demonstrating real AWS attack scenarios — privilege escalation, SSRF, and IAM abuse — using CloudGoat.
How to detect and exploit misconfigured Amazon Cognito identity pools, covering federated identity abuse and techniques found during real web and mobile application assessments.
A real-world pentest story of chaining unsanitised user input in a PDF download feature into a full SSRF on AWS, with a walkthrough of each discovery and escalation step.
How a stored HTML injection vulnerability in a PDF generation feature was escalated to a full SSRF on AWS EC2, enabling access to instance metadata and temporary IAM credentials.
An investigation into whether the X-HTTP-Method-Override header can be used to bypass IMDSv2 on AWS EC2 instances — and why the answer is definitively no.
How to automate bulk migration of EC2 instances from IMDSv1 to IMDSv2 across multiple AWS regions using Ansible playbooks.
How IMDSv2's token-based authentication changes the impact of SSRF on AWS EC2 instances, and what attackers can and cannot do against the new endpoint protection.
A practical guide to AWS EC2 Instance Metadata Service v2 (IMDSv2): how it works, how to enable it, monitor adoption via CloudWatch, and roll back if needed.
Want to know how we test for these issues in your product?
Get a Security Assessment