A reference of AWS-native attack techniques used for lateral movement, privilege escalation, and credential access. Each technique documents the required permissions, impact, detection, and mitigation.
An attacker with iam:CreatePolicyVersion can create a new version of an existing managed policy with admin permissions and set it as the default.
An attacker with iam:AttachUserPolicy or iam:AttachRolePolicy can attach the AdministratorAccess managed policy to their own identity.
An attacker with iam:PutRolePolicy can add an inline policy with admin permissions to any role they can assume.
An attacker with iam:PassRole and lambda:CreateFunction can create a Lambda function with a privileged execution role and invoke it to escalate privileges.
An attacker with iam:PassRole and ec2:RunInstances can launch an EC2 instance with a privileged instance profile and access its credentials via IMDS.
An attacker with access to an EC2 instance can retrieve temporary IAM credentials from the Instance Metadata Service (IMDS).
An attacker reads EC2 instance UserData or modifies it to extract credentials, secrets, and bootstrap scripts that often contain sensitive configuration.
An attacker enumerates and retrieves secrets from AWS Secrets Manager and SSM Parameter Store to discover credentials for databases, APIs, and other services.
An attacker deploys Lambda functions triggered by CloudWatch Events to automatically backdoor newly created IAM users, roles, or security groups.
An attacker with IAM write access creates access keys for all existing users and modifies trust policies on all existing roles, establishing broad persistent access.
An attacker generates long-lived STS session tokens that remain valid even after the original access keys are deleted or rotated.