astronaut
Logbook
Web Security • Research • CTF
Menu
May 25, 2026

AWS Privilege Escalation + Service Abuse

Phase 3 notes: privilege escalation paths, trust-policy abuse, and service-level exploitation across S3, IAM, Cognito, SQS, and Lambda.

research

Phase 3 — AWS Privilege Escalation + Service Abuse

Phase Summary

Completed 6 Red Team labs focused on AWS privilege escalation, trust abuse, and multi-service attack paths.

This phase is best done after you are comfortable with IAM enumeration and leaked credential workflows.

Learning Objectives

  • Abuse weak S3 bucket policies to gain elevated cloud access.
  • Practice role-assumption attack paths, including trust-policy and external ID misuse.
  • Exploit service misconfigurations in Cognito, SQS, and Lambda.
  • Understand serverless attack chains and data access expansion.
  • Strengthen cloud-auth understanding with boto3, STS, S3, and Secrets Manager.

Lab Path

OrderLabTypeSummary
13Exploit Weak Bucket Policies for Privileged Access🔴 RedAbuse overly permissive S3 bucket policies to gain privileged access paths.
14S3 Bucket Brute Force to Breach🔴 RedDiscover exposed buckets with wordlists and use leaked data for lateral movement.
15Assume Privileged Role with External ID🔴 RedLearn role assumption mechanics and trust-policy abuse with external ID contexts.
16Abuse Cognito User and Identity Pools🔴 RedExploit Cognito misconfigurations to gain cloud access and pivot through Lambda workflows.
17SQS and Lambda SQL Injection🔴 RedExecute serverless SQL injection paths involving SQS-triggered Lambda processing.
18Understand Authentication Mechanisms Using Boto3🔴 RedBuild practical understanding of AWS authentication flows using Python, boto3, STS, S3, and Secrets Manager.

Key Knowledge After Phase 3

  1. Privilege escalation often starts from policy weaknesses, not just leaked keys.
  2. Trust relationships are high-value targets, especially role assumption with loose external ID handling.
  3. Service chaining increases impact: Cognito, SQS, and Lambda can become pivot channels across accounts and data planes.
  4. Serverless components are attack surface, and event-driven logic can hide injection and privilege abuse.
  5. Strong auth-flow literacy is critical for both offense and defense when validating real AWS permission boundaries.