What if you could maintain AWS access indefinitely without creating users or keys? Role chain juggling takes advantage of a built-in AWS behavior: when you use one assumed role to assume another, the credential expiration timer resets.

This means you can chain assume-role calls repeatedly to keep credentials fresh. You can even chain the same role to itself if the trust policy allows it, or find two roles that can assume each other and cycle between them.

https://hackingthe.cloud/aws/post_exploitation/role-chain-juggling/?mtm_campaign=social_mastodon

Can attackers undo your containment actions before they take effect? AWS IAM's eventual consistency creates a roughly 4-second window where policy changes haven't fully propagated. An attacker monitoring for containment can detect a deny-all policy and delete it before enforcement kicks in.

https://hackingthe.cloud/aws/post_exploitation/iam_persistence_eventual_consistency/?mtm_campaign=social_mastodon

What if attackers could create GCP projects that are effectively invisible in your console? Apps Script projects live in hidden sys-* folders that don't appear in standard project lists. By creating projects that mimic this naming convention, attackers can establish persistence through service accounts or spin up compute for cryptomining, all while staying off the radar.

https://hackingthe.cloud/gcp/avoid-detection/apps-script-abuse/?mtm_campaign=social_mastodon

Got shell access to an EC2 instance? You can quickly enumerate the AWS account ID through two reliable methods.

First, try aws sts get-caller-identity - if an instance profile is attached, it returns the account ID, user ID, and ARN directly.

Second, query the instance metadata service at 169.254.169.254. The instance-identity document reveals account ID, region, availability zone, instance type, and more. Just remember to grab an IMDSv2 token first.

https://hackingthe.cloud/aws/enumeration/account_id_from_ec2/?mtm_campaign=social_mastodon

What if a simple Cognito login could grant an attacker access to your S3 buckets, DynamoDB tables, or worse? When AWS Cognito Identity Pools are configured with excessive IAM permissions, authenticated users receive temporary credentials that let them far exceed their intended access. Authenticate to a user pool, exchange the ID token for AWS credentials, then leverage whatever permissions the Identity Pool grants. Even unauthenticated users can be affected.

https://hackingthe.cloud/aws/exploitation/cognito_identity_pool_excessive_privileges/?mtm_campaign=social_mastodon

EC2 user data scripts are meant for bootstrapping instances, but they frequently contain hardcoded credentials and secrets. AWS even warns against this practice since the data has no authentication or encryption protecting it.

If you compromise an EC2 instance, grab the user data immediately via the metadata service. Got IAM access instead? Use describe-instance-attribute to pull it from the API.

https://hackingthe.cloud/aws/general-knowledge/introduction_user_data/?mtm_campaign=social_mastodon

Got IAM credentials but want to click around the console instead of memorizing CLI flags? You can convert those creds into a browser session!.

The process differs based on cred type: temporary creds (ASIA...) work directly with "aws-vault login", while long-term creds (AKIA...) require sts:GetFederationToken or sts:AssumeRole first.

Fair warning: this generates a ConsoleLogin event plus suspicious user-agent strings in CloudTrail, so not ideal for stealth.

https://hackingthe.cloud/aws/post_exploitation/create_a_console_session_from_iam_credentials/?mtm_campaign=social_mastodon