Can attackers undo your containment actions before they take effect? AWS IAM's eventual consistency creates a roughly 4-second window where policy changes haven't fully propagated. An attacker monitoring for containment can detect a deny-all policy and delete it before enforcement kicks in.

https://hackingthe.cloud/aws/post_exploitation/iam_persistence_eventual_consistency/?mtm_campaign=social_mastodon