Credential Chaining
A technique where an attacker discovers and uses multiple sets of AWS credentials in sequence, each providing access to new resources or higher privileges.
Credential chaining is the process of hopping from one set of AWS credentials to another, progressively expanding access across an environment. Each credential discovered opens new doors.
Common sources of chained credentials:
- **EC2 instance metadata (IMDS)** — Temporary credentials from instance profiles - **Lambda environment variables** — Access keys or connection strings embedded in function configuration - **ECS task roles** — Credentials available via the task metadata endpoint - **SSM Parameter Store** — Credentials stored as parameters, often in plaintext - **Secrets Manager** — API keys, database credentials, and service account tokens - **S3 objects** — Configuration files, .env files, or backups containing credentials - **CloudFormation outputs/parameters** — Sensitive values exposed in stack metadata - **CodeBuild/CodePipeline** — Build environment variables containing deployment credentials
A single Lambda function with access to Secrets Manager might reveal database credentials, which lead to an RDS instance containing application API keys, which unlock access to a third-party service with its own AWS integration.
The chain of credentials an attacker can follow defines the true blast radius of any initial compromise. hackaws.cloud maps these chains automatically, showing you every credential path from any starting point.