HACKING MY S3: We Simulated the Breach — Here's What We Learned

Kennedy Torkura

Co-founder and CTO, Mitigant | Author

Kennedy is a cloud security researcher and offensive security practitioner specializing in emulating real-world attack paths across AWS, Azure, and GCP. At Mitigant, he focuses on making breach simulation a proactive, everyday practice for cloud defenders.

‍Detections to Deploy (Now):

Snowflake (Crowdstrike):

id: '25231.46712'
title: AWS Instance Metadata Service Queried for Credentials - *nix
description: The AWS Instance Metadata Service (IMDS) provides detailed information
  about EC2 instances, including identity documents, network details, security credentials,
  and user data. It also offers dynamic data about the instance's AMI, reservation
  information, and configuration scripts passed on instance launch. Threat actors
  have been observed querying the AWS IMDS for security credentials or account IDs
  in attacks, such as the Capital One breach in 2019 or attack attempts by threat
  actor group Kinsing. This use case detects queries to 169.254.169.254/latest/meta-data/iam/security-credentials
  or http://169.254.169.254/latest/latest/dynamic/instance-identity/document with
  a status code in the 200s (indicates successful connection). Legitimate services
  within your infrastructure may access the IMDS; validating and allowlisting is recommended.
logic_format: snowflake
logic: 'select * from crowdstrikefdr_process where event_time > dateadd(hour, -2,
  sysdate()) and (event_platform ilike ''%Lin%'' or event_platform ilike ''%Mac%'')
  and process ilike ''%http://169.254.169.254%'' and (process ilike ''%latest/meta-data/iam/security-credentials/%''
  or process ilike ''%/latest/latest/dynamic/instance-identity/document%'') '
techniques:
- credential-access:unsecured credentials:cloud instance metadata api
technique_id:
- T1552.005
data_category:
- EDR Logs
references:
- https://blog.aquasec.com/loony-tunables-vulnerability-exploited-by-kinsing
- https://www.sans.org/blog/cloud-instance-metadata-services-imds-/
- https://sysdig.com/blog/cloud-breach-terraform-data-theft/
- https://www.sneakymonkey.net/cloud-credential-abuse/
- https://blog.appsecco.com/an-ssrf-privileged-aws-keys-and-the-capital-one-breach-4c3c2cded3af

Access the GitHub link

Splunk

id: '25231.46716'
title: AWS Instance Metadata Service Queried for Credentials - *nix
description: The AWS Instance Metadata Service (IMDS) provides detailed information
  about EC2 instances, including identity documents, network details, security credentials,
  and user data. It also offers dynamic data about the instance's AMI, reservation
  information, and configuration scripts passed on instance launch. Threat actors
  have been observed querying the AWS IMDS for security credentials or account IDs
  in attacks, such as the Capital One breach in 2019 or attack attempts by threat
  actor group Kinsing. This use case detects queries to 169.254.169.254/latest/meta-data/iam/security-credentials
  or http://169.254.169.254/latest/latest/dynamic/instance-identity/document with
  a status code in the 200s (indicates successful connection). Legitimate services
  within your infrastructure may access the IMDS; validating and allowlisting is recommended.
logic_format: Splunk
logic: '`get_endpoint_data` `get_endpoint_data_edr` "http://169.254.169.254" ("latest/meta-data/iam/security-credentials/"
  OR "/latest/latest/dynamic/instance-identity/document") | table _time, host, user
  process, process_* | bin span=1s | stats values(*) as * by _time, host '
techniques:
- credential-access:unsecured credentials:cloud instance metadata api
technique_id:
- T1552.005
data_category:
- EDR Logs
references:
- https://blog.aquasec.com/loony-tunables-vulnerability-exploited-by-kinsing
- https://www.sans.org/blog/cloud-instance-metadata-services-imds-/
- https://sysdig.com/blog/cloud-breach-terraform-data-theft/
- https://www.sneakymonkey.net/cloud-credential-abuse/
- https://blog.appsecco.com/an-ssrf-privileged-aws-keys-and-the-capital-one-breach-4c3c2cded3af

Access the GitHub link

‍

IAM Login Profile Abuse:

Technique: Created login profiles to maintain persistent AWS access.
Detections Referenced:
- AWS Attach IAM Role or Policy Detection
- AWS Create Login Profile Detection

Threat Scenario stitching AWS point detections:

‍

‍

Key Lessons Learned:

✅ S3 remains one of the fastest paths to impact.
If buckets are accessible — attackers move quickly to grab and exfiltrate sensitive data.

✅ Credential misuse is harder to spot than traditional malware.
Exfiltration via legit AWS APIs often bypasses traditional alerting unless you’re watching behavior patterns.

✅ Detection alone isn’t enough.
Proactive controls and hardening are mandatory to make S3 exfiltration harder, noisier, and easier to catch early.

Hardening S3: Direct Strategies to Mitigate Exfiltration (based on AWS best practices)

🔒 Block public access at the account and bucket level:
No exceptions unless absolutely necessary — enforce "least privilege" across all objects.

🔒 Use IAM Condition Keys for tight permissions:
Apply conditions like aws:SourceIp, aws:UserAgent, and aws:SecureTransport to control how/where API calls happen.

🔒 Enable CloudTrail data event logging for S3:
Track object-level API actions like GetObject, PutObject, and DeleteObject — not just management operations.

🔒 Use S3 Object Lock or MFA Delete:
Prevent immediate overwrite or delete attacks after compromise.

🔒 Monitor for unusual S3 access patterns:

High-volume downloads
Access from new geographies
Unusual IAM role usage targeting S3

🔒 Routinely validate S3 bucket policies and ACLs:
Make it a regular hygiene practice — not a one-time setup.

‍

AWS Detections to Deploy (Now):

Full detection packs: Anvilogic Forge | Cloud Detections

‍Other References: AWS Strategies to Mitigate Exfiltration from S3

‍‍