Cloud Pentesting: The 5 AWS Attack Paths We Find Most Often

Over-permissive trust policies let one compromised principal pivot across accounts. We map AssumeRole chains end-to-end and exploit them.

Fix: deny iam:PassRole and sts:AssumeRole on overly broad principals; use ABAC and SCPs to fence cross-account access.

Block Public Access is the floor — bucket policies and ACLs still leak in nuanced ways, especially with cross-account delegation.

Continuous monitoring catches drift; one-shot reviews miss it.

An SSRF in a web app plus IMDSv1 still gives instant role takeover in 2026. We see it monthly.

Enforce IMDSv2-only at the account level and use service control policies to lock it.

Secrets in Lambda env vars get logged, dumped via verbose errors and shared across reused execution environments.

Use Secrets Manager or Parameter Store with KMS, never env vars for sensitive material.

CloudTrail doesn't log data plane events by default (S3 GetObject, Lambda Invoke). Attackers know — and exploit it.

Enable data-event logging on critical buckets and functions; alert on AssumeRole spikes.