Attack Surface

In AWS, the attack surface encompasses every potential entry point and exploitable path an attacker could use. Unlike traditional infrastructure where attack surface is primarily network-based, AWS attack surface is largely defined by IAM configurations and service exposure.

Components of an AWS attack surface:

- **IAM principals** — Users, roles, and service accounts with their associated permissions - **Public resources** — S3 buckets, API Gateway endpoints, Lambda function URLs, CloudFront distributions - **Network exposure** — Security groups, NACLs, public subnets, VPC endpoints - **Cross-account access** — Trust policies allowing external accounts to assume roles - **Third-party integrations** — OAuth connections, webhook endpoints, partner API access - **CI/CD pipelines** — Build systems with deployment credentials - **Credential storage** — Secrets Manager, Parameter Store, environment variables

Attack surface differs from blast radius: attack surface is about how an attacker gets in, while blast radius is about how far they get once inside. Both are critical to measure.

Reducing attack surface involves:

- Auditing and removing unused IAM users, roles, and access keys - Making S3 buckets private by default - Using VPC endpoints instead of public internet access - Implementing strict security group rules - Rotating and auditing credentials regularly

hackaws.cloud maps both your attack surface and blast radius, showing the complete picture of your AWS security posture.