Lateral Movement
The process of moving through an AWS environment by pivoting between principals, services, and accounts after gaining an initial foothold.
In AWS, lateral movement refers to an attacker's ability to move from one identity or resource to another within the same account or across accounts. Unlike traditional network-based lateral movement, AWS lateral movement is primarily API-driven.
Key lateral movement techniques in AWS include:
- **Role chaining** — Assuming a series of IAM roles, where each role trusts the previous one - **Service pivoting** — Using one AWS service to access another (e.g., Lambda to S3 to SSM) - **Cross-account role assumption** — Moving between AWS accounts via cross-account trust policies - **Instance metadata exploitation** — Accessing the IMDS endpoint on EC2 instances to retrieve temporary credentials - **Secrets retrieval** — Reading credentials stored in Secrets Manager, SSM Parameter Store, or environment variables - **Resource policy abuse** — Exploiting S3 bucket policies, SQS policies, or Lambda resource policies that grant access to other principals
AWS lateral movement is often invisible to traditional security monitoring because it uses legitimate AWS API calls. The attacker is not scanning ports or exploiting vulnerabilities — they are simply using IAM permissions as intended, just from an unauthorized starting point.
Understanding the full attack graph of possible lateral movement paths is critical for reducing your environment's blast radius.