Skip to content

AWSLogo

Reconnaissance

Initial Access

Execution

Privilege Escalation

Persistence

Credential Access

Exfiltration
Open Buckets S3 Valid Credentials Using IaC Scripting Privileged Identity Management Role Account Manipulation Debugger Mode Credential Exposure EBS Snapshot sharing
Ports and Services Open Password Spraying Programming Language Scripting Elevated Access Toggle Account Creation Steal Service Principal Certificate CodeBuild VPC Exfiltration
Public Accessible Resource Brute Force Attack Using Command and Interpreter System Local Resource Hijack Generate Backdoor Key Service Principal Secret Reveal Transfer Data to Cloud Accout
Gather User Information Get Accounts ID User Execution AssumeRolePolicy Download Function code Lambda and Add Backdoor in Modified Code Git Repository Misconfigurations Exfiltration OverC2 Channel
Gather Application Information IAM Abuse Deploy vulnerable Instance Create or Update IAM Policy Add new SSH Keys Access Credential from Metadata Endpoint S3 API Object Buckets Exfiltration
Collect IAM information Exploit Public Vulnerability Passing a role to a new Lambda function Network Security Group Modification Unsecured Credentials RDS Data Base Exfiltration
Discover EBS Snapshots Secret Key Hijacking Passing a role to a Glue Development Endpoint External Entity Access Credential OS Environment DNS Exfiltration
Enumerate Secrets Manager Exploit API Lambda Function Passing a role to CloudFormation S3 File ACL Persistence Get Secret Values
Search Access Logs Permission Modified Scanning Flaws Permission User Data Script Persistence
RDS Publics Snapshot Abuse Elevation Controls Mechanism Get IAM Credentials from a Console Session
Collect Information EC2 Instance

Disclaimer

The purpose of the AWS Threat Research Matrix (AWSTRM) is to educate readers on the potential of Aws-based tactics, techniques, and procedures (TTPs). It is not to teach how to weaponize or specifically abuse them. For this reason, some specific commands will be obfuscated or parts will be omitted to prevent abuse.

Feedback

With the creation of the ATM, resolves based on the idea to create the AWSTRM to be a collaborative effort with the community, thanks @haus3c and Team for the great work! Feedback is highly appreciated. If there is a new technique or does something on this list not agree? Is the formatting off-putting? please let me know. My Email, My LinkedIn, @Cod3Cr4zy

Thanks and Acknowledgements#