May 25, 2026
AWS Privilege Escalation + Service Abuse
Phase 3 notes: privilege escalation paths, trust-policy abuse, and service-level exploitation across S3, IAM, Cognito, SQS, and Lambda.
research
Phase 3 — AWS Privilege Escalation + Service Abuse
Phase Summary
Completed 6 Red Team labs focused on AWS privilege escalation, trust abuse, and multi-service attack paths.
This phase is best done after you are comfortable with IAM enumeration and leaked credential workflows.
Learning Objectives
- Abuse weak S3 bucket policies to gain elevated cloud access.
- Practice role-assumption attack paths, including trust-policy and external ID misuse.
- Exploit service misconfigurations in Cognito, SQS, and Lambda.
- Understand serverless attack chains and data access expansion.
- Strengthen cloud-auth understanding with boto3, STS, S3, and Secrets Manager.
Lab Path
| Order | Lab | Type | Summary |
|---|---|---|---|
| 13 | Exploit Weak Bucket Policies for Privileged Access | 🔴 Red | Abuse overly permissive S3 bucket policies to gain privileged access paths. |
| 14 | S3 Bucket Brute Force to Breach | 🔴 Red | Discover exposed buckets with wordlists and use leaked data for lateral movement. |
| 15 | Assume Privileged Role with External ID | 🔴 Red | Learn role assumption mechanics and trust-policy abuse with external ID contexts. |
| 16 | Abuse Cognito User and Identity Pools | 🔴 Red | Exploit Cognito misconfigurations to gain cloud access and pivot through Lambda workflows. |
| 17 | SQS and Lambda SQL Injection | 🔴 Red | Execute serverless SQL injection paths involving SQS-triggered Lambda processing. |
| 18 | Understand Authentication Mechanisms Using Boto3 | 🔴 Red | Build practical understanding of AWS authentication flows using Python, boto3, STS, S3, and Secrets Manager. |
Key Knowledge After Phase 3
- Privilege escalation often starts from policy weaknesses, not just leaked keys.
- Trust relationships are high-value targets, especially role assumption with loose external ID handling.
- Service chaining increases impact: Cognito, SQS, and Lambda can become pivot channels across accounts and data planes.
- Serverless components are attack surface, and event-driven logic can hide injection and privilege abuse.
- Strong auth-flow literacy is critical for both offense and defense when validating real AWS permission boundaries.