Why Your Organization Might Still Be Repeating Costly Mistakes in 2026
In an era where cloud adoption has skyrocketed, AWS remains a prime target for attackers. From a 2014 credential leak exposing 50,000 customer records to the 2025 Codefinger ransomware wave targeting S3 buckets, breaches continue to rack up billions in damages. The core issue? Persistent vulnerabilities in credentials, configurations, and account management.
This enhanced guide draws from over a decade of incidents, incorporating recent 2024-2025 cases like the ShinyHunters credential theft and a notable infrastructure wipeout. We've reformatted for clarity, added actionable tables, updated examples, and included proactive strategies to help you evolve from reactive fixes to resilient defenses.
The Evolving Threat Landscape
Attackers haven't just gotten smarter—they've industrialized exploitation. Automated tools scan for exposed keys in seconds, while AI-driven attacks probe for misconfigurations. Key stats from 2025:
Cloud breaches average $4.5M in costs (up from $4M in prior years).
94% of organizations report API security issues, often tied to AWS services.
Ransomware like Codefinger makes recovery "impossible" without payment, exploiting stolen AWS credentials.
The question: Have you learned from these expensive lessons?
The Three Ghosts of Cloud Security: Past, Present, and Future
We've structured each "ghost" with updated examples, attacker tactics (mapped to MITRE ATT&CK), and enhanced detection strategies.
Ghost #1: The Person Who Committed Their Credentials
One of the most persistent ghosts in cloud security is the accidental exposure of credentials. In the rush to deliver features, developers may commit AWS access keys into GitHub, GitLab, or leave them exposed in CI/CD logs and public gists.
This oversight has repeatedly led to breaches across industries:
Transportation sector (mid-2010s): Exposed keys enabled attackers to access customer data in cloud-hosted databases.
Software supply-chain (early 2020s): CI/CD credentials were harvested, giving adversaries stealthy access to build environments.
Automotive industry (early 2020s): Publicly exposed keys granted unauthorized entry to backend APIs and customer information.
AWS Credential and Role Abuse Detection: MITRE-Mapped API Matrix
Phase / Category | MITRE ATT&CK | Key API Calls / Techniques | Priority | Suggested Alert Thresholds | Correlation / Detection Rules |
Discovery / Identity Validation | T1589.001 (Gather Credentials)T1078 (Valid Accounts) | Automated repo scans, sts:GetCallerIdentity, iam:GetUser | HP | Any sts:GetCallerIdentity or iam:GetUser from unknown IPs / geos; more than 5 attempts per minute | Correlate with repo scan alerts using repo scanning tools; alert if activity comes from TOR, ASN ranges, or unusual geographies |
Validation / Privilege Escalation | T1078 (Valid Accounts)T1484.002 (Modify Roles/Policies) | iam:CreateUser, sts:AssumeRole | HP | Any new user creation or role assumption outside baseline; more than 3 abnormal role assumptions per hour | Trigger if non-admin executes role assumption or creation; correlate with MFA usage and past login history |
Escalation / Persistence | T1484.002 (Modify Roles/Policies)T1098 (Account Manipulation) | iam:CreateAccessKey, iam:UpdateLoginProfile | HP | Creation of access keys or login profile updates from inactive accounts; sudden surge >2x baseline | Alert if keys are created for accounts inactive >90 days or with wildcard/admin policies |
Persistence / Account Manipulation | T1098 (Account Manipulation) | iam:CreateAccessKey, iam:UpdateLoginProfile | MP | Any access key update outside business hours or unusual regions | Correlate with sts:AssumeRole or GetCallerIdentity calls; alert if combined with data access events |
Exfiltration / Data Access | T1530 (Data from Cloud Storage) | s3:GetObject, secretsmanager:GetSecretValue, rds:DescribeDBInstances | HP | >50 objects retrieved per minute or large volume from sensitive/internal-only buckets; secrets accessed more than 3 times per minute | Correlate with prior privilege escalation events; trigger high-priority alert if accessed by newly created or inactive accounts |
Ghost #2: The Configuration That Nobody Checked
Misconfigured IAM roles, storage buckets, and network rules remain one of the top cloud security risks. What starts as a “temporary test” configuration often lingers unnoticed, creating silent entry points for attackers.
2019 breach: A global financial services company suffered a massive breach when an SSRF flaw enabled attackers to abuse overly permissive S3 bucket access, exposing millions of customer records.
2022 incident: A communications platform inadvertently exposed dashboards and weak IAM roles, leaking sensitive internal and client data.
Impact: Large-scale customer data loss, severe regulatory penalties, and long-term brand erosion — frequently costing organizations hundreds of millions in fines, remediation, and lost trust. How Attackers Exploit Misconfigurations.
AWS Misconfiguration Detection: MITRE-Mapped API Matrix
Attack Phase | MITRE Mapping | Key API Hooks | Priority (HP/MP) | Alert Thresholds | Correlation / Detection Rules |
Reconnaissance | T1595 – Active Scanning | ListBuckets, GetBucketAcl, GetBucketPolicy, ListRoles, ListUsers, DescribeInstances | HP | Multiple list/access calls within short time frame; unusual IPs | Correlate ListBuckets/ListRoles usage from non-admin accounts or unusual regions; flag scanning patterns |
Initial Access | T1190 – Exploit Public-Facing Application | InvokeFunction, SendCommand, GetCallerIdentity, AssumeRole (from external IPs) | HP | Calls from unknown IPs or geographies | Detect external IP calling sensitive APIs; correlate with CloudFront/WAF logs for SSRF attempts |
Privilege Escalation | T1484.002 – Modify Cloud Compute Roles/Policies | CreateRole, PutRolePolicy, AttachRolePolicy, UpdateAssumeRolePolicy, PutUserPolicy | HP | Non-admin creates role/policy or applies wildcard/AdminAccess | Alert on any role/policy modification granting * permissions; cross-check with baseline IAM templates |
Data Collection & Exfiltration | T1530 – Data from Cloud Storage | GetObject, GetObjectAcl, ListObjectsV2, SelectObjectContent | HP | Sudden spikes in object access or access by non-approved principals | Flag bulk downloads from sensitive buckets; correlate with unusual key usage or external IPs |
Impact / Denial or Disruption | T1499 – Endpoint Denial/Disruption | DeleteBucket, DeleteTrail, StopLogging, TerminateInstances, DeleteDBInstance | HP | Deletion of critical resources or logging stopped | High-priority alert if DeleteBucket/DeleteTrail/StopLogging occurs; correlate with IAM activity and previous exfiltration attempts |
Network Exposure | T1046 – Network Service Scanning | AuthorizeSecurityGroupIngress | MP | SG opened to 0.0.0.0/0 for sensitive ports (22, 3389) | Alert on new public access rules; correlate with unusual IAM activity or external login attempts |
Ghost #3: The Insider Who Never Left
Former employees, contractors, or unused credentials that linger in cloud environments often become silent backdoors for attackers. These “ghost accounts” may remain unnoticed for months, bypassing normal monitoring.
2017 breach: A cloud storage provider exposed sensitive data when unused contractor keys were exploited to access internal systems. 2021 incident: A healthcare firm suffered insider-driven data theft after an ex-employee’s credentials remained active post-offboarding.
Impact: Long-term persistence, covert data exfiltration, and insider-style fraud or espionage — frequently resulting in multi-million dollar compliance fines, remediation costs, and irreparable reputational damage.
AWS Forgotten Accounts Detection: MITRE-Mapped API Matrix
Attack Phase | MITRE Mapping | Key API Hooks | Priority (HP/MP) | Alert Thresholds | Correlation / Detection Rules |
Initial Access | T1078 – Valid Accounts | ConsoleLogin, AssumeRole | HP | Login attempts from inactive accounts (>90 days) | Correlate ConsoleLogin / AssumeRole with last activity date; flag stale accounts |
Persistence | T1136 – Create/Abuse Accounts | CreateAccessKey, UpdateLoginProfile | HP | Keys created for inactive or offboarded users | Detect new key creation/update for accounts inactive >90 days; correlate with role assignment |
Evasion | T1070 – Indicator Removal | DeleteAccessKey, StopLogging | HP | Deletion or disablement of logging trails | Alert on StopLogging/DeleteAccessKey; correlate with unusual access or exfiltration attempts |
Lateral Movement | T1550 – Use of Application Access Tokens | AssumeRole, GetSessionToken | MP | Role/session tokens used across accounts unexpectedly | Detect cross-account AssumeRole or session creation from non-standard IPs or regions |
Impact | T1499 – Business Impact | GetSecretValue, TerminateInstances | HP | Access to sensitive data or termination of resources | Correlate access to secrets or termination API calls with inactive accounts or unusual sequences |
Stale Account Abuse | T1078 – Valid Accounts | ConsoleLogin from accounts inactive >90 days | HP | Any console/API login from stale accounts | Cross-reference with HR offboarding lists; alert on unexpected access |
Root Account Misuse | T1098 – Account Manipulation | ConsoleLogin from root | HP | Any root login | Alert on root login activity; correlate with recent API calls from new regions |
Old Key Use | T1552 – Unsecured Credentials | GetCallerIdentity with keys older than 90 days | HP | Old key usage | Flag IAM keys inactive >90 days making API calls; correlate with sensitive resource access |
Action Plan: From Sitting Duck to Security Leader
Phase | Focus | Key Monitoring APIs | MITRE ATT&CK |
Reactive | Repo scans, logging, IAM audit | DeleteTrail, UpdateTrail, PutRolePolicy | T1552, T1580, T1098 |
Secure Foundations | Secrets mgmt, CI/CD gates, playbooks | CreateAccessKey, GetSecretValue, PassRole | T1555, T1195 |
Proactive | Anomaly detection, IaC scanning, cross-account hunting | GetCostAndUsage, PutBucketAcl, AssumeRole | T1499, T1562, T1078.004 |
Resilient | Zero Trust, purple teaming, auto-containment | CreatePolicyVersion, ListBuckets, CopySnapshot | T1556, T1585, T1537 |
The Uncomfortable Questions
If someone used your most privileged AWS role, how long until you’d know?
Do you know where all your AWS credentials live today?
Would you catch a 10x spend spike in hours?
When was your last cloud incident rehearsal?
The Bottom Line
11+ years of AWS breaches prove that security isn’t a checklist—it’s a culture. Automate what you can. Monitor relentlessly. Practice incidents often.
You don’t need to be perfect—just better prepared than yesterday.
References: https://github.com/ramimac/aws-customer-security-incidents
