Cloud & Container Security · intermediate · ~11 min
Explain credential exposure, the metadata service, and IAM-based escalation.
Cloud post-exploitation hunts leaked credentials (hardcoded, in the 169.254.169.254 metadata service via SSRF, in env vars/secret stores) and abuses IAM permissions (iam:PassRole, policy-version/attach, sts:AssumeRole chaining) to escalate to admin. Defenses: secrets managers, IMDSv2, least privilege, logging, rotation.
Credential exposure (especially metadata-service theft via SSRF) and IAM privilege-escalation paths are how cloud footholds become full account compromise — the cloud analogue of AD path-finding, and a core assessment focus.
Credential leaks. Repos, CI logs, images, env vars, metadata service. Metadata + SSRF. 169.254.169.254 → role creds; IMDSv2 defends. IAM escalation. PassRole, CreatePolicyVersion, AssumeRole chaining. Defenses. Secrets managers, IMDSv2, least privilege, logging, rotation.
Once inside a cloud environment, attackers hunt credentials and abuse IAM to escalate — the cloud equivalent of privilege escalation.
169.254.169.254): a compromised app (often via SSRF, see the web track) reads the instance's role credentials. Defense: IMDSv2 (session-token required), least-privilege instance roles.Like AD attack paths, but for IAM policies. A principal with a seemingly-minor permission can often reach admin:
iam:PassRole + a compute service → run code as a more privileged role.iam:CreatePolicyVersion / AttachUserPolicy → grant yourself admin.sts:AssumeRole across over-trusting roles.
Tools (ScoutSuite, Pacu, cloud IAM analyzers) enumerate these paths.Use secrets managers (not hardcoded secrets), enforce IMDSv2, apply least privilege (no iam:*, no wildcard PassRole), enable logging (next lesson) to detect abuse, and rotate credentials.
Cloud escalation chains leaked credentials (notably via the metadata service through SSRF) and over-broad IAM permissions into admin access. Secrets managers, IMDSv2, least-privilege policies, logging, and rotation break these paths.