Identity-First Attacks in Cloud: How Permissions Become the New Perimeter

TL;DR

Modern cloud breaches don’t rely on exploiting vulnerabilities—they exploit legitimate credentials and overpermissioned identities. Attackers follow a predictable 4-phase chain: initial access through leaked credentials, identity enumeration via API calls, attack path discovery through permission mapping, and controlled abuse while evading detection. Unlike traditional network intrusions, these attacks use valid API calls that look legitimate, making them exceptionally hard to detect without behavioral analytics and strict IAM hygiene.

Table of Contents

• Why Cloud Changes the Attack Game
• Phase 1: Initial Access
• Phase 2: Identity Enumeration
• Phase 3: Attack Path Discovery
• Phase 4: Controlled Abuse
• Why Identity Attacks Are Hard to Detect
• Detection Strategies for Blue Teams
• Summary
• Sources
• Important Links

Why Cloud Changes the Attack Game

Traditional cybersecurity focused on perimeter defense: firewalls, intrusion detection systems, network segmentation. If an attacker wanted access to your database, they had to breach the network, pivot through systems, escalate privileges, and eventually reach the target. This left a trail of artifacts: exploit attempts, lateral movement traffic, privilege escalation attempts.

Cloud infrastructure fundamentally breaks this model.

In cloud environments, the perimeter is identity. An attacker with valid AWS credentials doesn’t need to exploit a single vulnerability—they simply call the AWS API with legitimate authentication. From AWS’s perspective, these are authorized requests. There’s no “break-in” to detect.

Consider this scenario: An attacker finds an AWS access key in a public GitHub repository. Within minutes, they can:

• Query what permissions that key has (aws sts get-caller-identity)
• List all S3 buckets (aws s3 ls)
• Download sensitive data (aws s3 sync s3://company-backups ./)
• Create a new admin user for persistence (aws iam create-user)

Every single action is a legitimate API call. No exploit. No malware. No network anomaly. Just valid authentication executing valid operations.

This is why permissions are more dangerous than vulnerabilities in cloud environments. A misconfigured IAM policy can grant an attacker instant access to your entire infrastructure without ever triggering traditional security controls.

The attack surface has shifted from “can you break in?” to “who has access to what?”

Phase 1: Initial Access

Initial access vectors for cloud credentials have shifted from technical exploitation to operational security failures.

Primary Access Vectors:

Exposed secrets in repositories remain the dominant vector. Automated scanning identifies committed credentials within minutes of public repository commits. AWS access keys (AKIA* patterns), Azure connection strings, and GCP service account keys are continuously harvested.

Phishing targeting SSO portals yields immediate cloud access. MFA fatigue attacks—repetitive push notifications until approval—bypass multi-factor controls. Compromised SSO sessions grant authenticated access across all integrated cloud services.

CI/CD pipeline compromise exposes overprivileged service accounts. GitHub Actions, GitLab CI, and Jenkins workflows store credentials as environment variables. Pull request injection and stolen pipeline tokens provide persistent access to deployment credentials.

Supply chain attacks through malicious NPM/PyPI packages exfiltrate credentials from environment variables during build processes.

Detection Strategy

Initial access detection requires behavioral anomaly identification:

• Geographic inconsistencies (impossible travel, non-corporate IP ranges)
• Temporal anomalies (authentication outside normal working hours)
• Dormant credential activation (unused keys suddenly active)
• Authentication patterns indicating credential stuffing
• VPN/proxy service authentication from non-approved sources

Phase 2: Identity Enumeration

Post-authentication reconnaissance determines permission scope and accessible resources. Enumeration API calls are legitimate operations indistinguishable from normal administrative activity without behavioral context.

Enumeration Objectives:

Attackers map their access through identity queries (GetCallerIdentity, Get-AzContext), permission enumeration (attached policies, role assignments), and resource discovery (storage, compute, database services). This reconnaissance phase typically completes within minutes, generating characteristic API call patterns.

Target Information:

• Identity type and associated permissions
• AssumeRole capabilities and role chains
• Resource inventory (storage buckets, databases, compute instances)
• Service account permissions and managed identities
• Cross-account access possibilities

Detection Indicators

Enumeration generates concentrated API activity atypical of human operators:

• Rapid sequential permission/identity queries (10+ calls <5 minutes)
• Cross-service resource enumeration
• Permission boundary probing (testing API responses for access patterns)
• API calls inconsistent with identity’s normal function
• First-time API usage by established identities

Baseline deviation is critical—identities exhibit consistent API usage patterns. SOC teams should profile normal behavior per identity: typical API calls, resource access patterns, time-of-day activity, geographic consistency.

Phase 3: Attack Path Discovery

Attack paths exploit permission graphs—role assumption chains, resource-based policies, and service-to-service trust relationships. Cloud IAM creates complex permission inheritance rarely visible in traditional tooling.

Common Escalation Vectors:

Role assumption chains enable privilege escalation through sequential role transitions. Identities with AssumeRole permissions pivot through progressively privileged roles until reaching administrative access. AWS role chains, Azure Managed Identity abuse, and GCP service account impersonation follow similar patterns.

PassRole exploitation allows attackers to assign privileged IAM roles to services they control. Creating Lambda functions or EC2 instances with administrative roles grants code execution at elevated privilege levels.

Resource-based policy misconfigurations bypass IAM controls entirely. S3 bucket policies, Lambda resource policies, and cross-account trust relationships grant access independent of identity permissions.

Service principal compromise in Azure exposes Managed Identity permissions. VM compromise inherits whatever permissions the Managed Identity possesses—frequently including Key Vault, storage, and subscription-level access.

Reconnaissance Tooling

Attackers leverage the same tools defenders use for IAM auditing: CloudFox (AWS relationship mapping), ScoutSuite (multi-cloud misconfiguration detection), Pacu (AWS exploitation framework), and ROADtools (Azure AD enumeration). Regular execution of these tools against your own infrastructure identifies attack paths before adversaries discover them.

Detection and Prevention

Detection indicators:

• AssumeRole activity from non-human identities or unusual role chains
• PassRole events coupled with compute/function creation
• New service account or IAM user creation with attached policies
• IAM or resource policy modifications
• Role assumption patterns inconsistent with identity baseline

Preventive controls:

• Strict least privilege enforcement (no wildcard permissions)
• Permission boundaries limiting maximum privilege ceiling
• Service Control Policies in AWS Organizations
• Time-limited elevated access (JIT) replacing standing privileges
• Break-glass access patterns for emergency administrative operations

Phase 4: Controlled Abuse

Final-stage operations prioritize stealth over speed. Sophisticated threat actors maintain persistent access and exfiltrate data while minimizing detection surface.

Exfiltration Techniques

Storage manipulation avoids direct data transfer logging. Modifying bucket policies to enable public access allows external download without CloudTrail visibility. Cross-account sharing through resource policies transfers data between AWS accounts, bypassing internet egress monitoring.

Snapshot exfiltration targets databases and volumes. RDS snapshots and EBS snapshots shared cross-account enable complete data extraction without direct transfer events.

Staged exfiltration distributes data transfer over extended timeframes, mimicking legitimate backup or synchronization patterns.

Persistence Mechanisms

Backdoor identity creation establishes long-term access independent of initial compromise vector. New IAM users with programmatic access keys survive credential rotation of the original compromised identity.

Lambda implants with public API Gateway triggers create HTTPS-accessible backdoors requiring no AWS credentials for activation.

Federation manipulation modifies SAML or OIDC identity provider configurations, allowing attacker-controlled authentication sources.

Anti-Forensics

CloudTrail manipulation—disabling logging, deleting events, or filtering specific event types—creates forensic blind spots. More subtle approaches modify trail configuration to exclude IAM changes or specific service events from logging.

Critical Detection Points

High-priority alerting for:

• Storage policy modifications enabling public or cross-account access
• Snapshot sharing to external accounts (RDS, EBS)
• New IAM user creation with administrative policy attachment
• CloudTrail configuration changes (stop-logging, event filtering)
• Abnormal data access volume or patterns

Behavioral correlation rules:

• Enumeration → privilege escalation → data exfiltration sequence within 1-hour window
• IAM user creation + admin policy attachment + access key generation within 5 minutes
• Storage policy modification + high-volume GetObject requests within 10 minutes

SIEM correlation across multiple indicators provides reliable detection where individual events appear benign.

Why Identity Attacks Are Hard to Detect

Traditional security monitoring relies on IOCs—malicious IPs, file hashes, exploit signatures. Identity attacks produce none of these artifacts.

No exploits, no malware. Valid credentials executing legitimate API calls over HTTPS to official cloud provider endpoints. From the provider’s perspective, authenticated requests are indistinguishable from authorized operations.

Massive log volume. Medium-sized cloud deployments generate millions of audit events daily. Identifying malicious API calls within legitimate operational noise requires behavioral baselining and contextual analysis impossible with signature-based detection.

Attacker tradecraft. Sophisticated operators deliberately slow activity, use legitimate tooling (AWS CLI, SDKs), and operate during business hours. They blend into normal operational patterns, making rate-based or threshold alerting ineffective.

Cloud providers cannot distinguish stolen credentials from legitimate ones—authentication is authorization. This fundamental difference from on-premises security requires behavioral analytics, identity-centric monitoring, and continuous IAM auditing.

Detection Strategies for Blue Teams

Identity attack detection requires behavioral analytics and continuous IAM auditing rather than signature-based approaches.

Preventive Controls

Least privilege enforcement limits blast radius. Eliminate wildcard permissions, AdministratorAccess policies except break-glass accounts, and implement permission boundaries defining maximum privilege ceilings. Time-limited JIT access replaces standing administrative privileges.

Credential hygiene: Short-lived temporary credentials via STS, enforced 90-day rotation policies, automated secrets scanning in repositories, and removal of unused credentials (AWS Access Advisor, Azure Inactive Credentials reporting).

Network segmentation: VPC endpoints for private AWS service connectivity, IP allowlisting restricting API access to corporate ranges, MFA requirements for sensitive operations.

Detection Controls

Behavioral baselining profiles normal identity behavior: API usage patterns, resource access, temporal activity, geographic consistency. Deviations trigger investigation workflows.

Platform-native tools: AWS GuardDuty (ML-based threat detection), Azure Sentinel (SIEM with behavioral analytics), GCP Security Command Center.

High-priority monitoring:

• IAM modifications (user creation, policy changes, role assumption)
• Sensitive data access (storage, databases)
• Cross-account activity (external account AssumeRole)
• Audit log tampering (CloudTrail disable, log deletion)

SIEM correlation detects multi-stage attacks:

IF: 10+ permission queries in 5 minutes
AND: Role assumption to elevated privileges within 30 minutes  
AND: Sensitive resource access within 1 hour
THEN: Alert compromised credential

Audit and Response

IAM auditing tools: ScoutSuite, Prowler, CloudFox, PMapper—run monthly identifying overpermissioned identities, privilege escalation paths, unused credentials, and misconfigured resource policies.

Incident response playbook:

1. Immediate credential revocation (disable IAM users, revoke access keys)
2. Blast radius assessment (audit accessed resources)
3. Audit log analysis (complete activity timeline via CloudTrail/Activity Logs)
4. Persistence hunting (backdoor IAM users, modified policies, Lambda implants)
5. Credential rotation (all potentially exposed keys)
6. Post-incident review (compromise vector, control failures)

Summary

Cloud security is fundamentally an identity problem. Attackers don’t need to exploit vulnerabilities when they can walk through the front door with valid credentials and overpermissioned access.

The 4-phase attack chain:

1. Initial Access: Leaked keys, phishing, compromised CI/CD
2. Identity Enumeration: Map permissions and accessible resources
3. Attack Path Discovery: Find privilege escalation chains
4. Controlled Abuse: Exfiltrate data, establish persistence, evade detection

Why it’s hard to detect:

• No traditional IOCs (no malware, no exploits)
• Valid credentials = legitimate-looking API calls
• Massive audit log volume creates noise
• Attackers blend in with normal usage patterns

Defensive strategy:

• Prevent: Least privilege, credential hygiene, permission boundaries
• Detect: Behavioral analytics, SIEM correlation, high-value resource monitoring
• Audit: Regular IAM reviews, red team exercises, attack path enumeration
• Respond: Rapid credential revocation, blast radius assessment, persistence hunting

The perimeter is dead. Identity is the new perimeter. Securing cloud infrastructure means securing every identity’s permissions and continuously monitoring for abuse.

Sources

1. AWS Security Blog - “Top 10 security items to improve in your AWS account” (2024)

2. Microsoft Azure - “Azure Identity Management Security Best Practices” (2025)

3. Google Cloud - “Best practices for securing service accounts” (2024)

4. MITRE ATT&CK - “Cloud Matrix Tactics” (2025)

5. CISA - “Cloud Security Technical Reference Architecture” (2024)

6. Rhino Security Labs - “AWS IAM Privilege Escalation Methods” (2024)

7. Sysdig - “2025 Cloud-Native Security and Usage Report”

8. Permiso Security - “CloudTrail Log Analysis for Threat Detection” (2024)

9. Datadog Security Labs - “Detecting Credential Abuse in AWS Environments” (2025)

10. AWS re:Inforce - “Implementing Least Privilege with IAM” (2024)

11. Azure Sentinel - “Identity-Based Threat Detection Playbook” (2024)

12. SANS Institute - “Cloud Security Incident Response” (2024)

Important Links

1. AWS IAM Access Analyzer - Identify overly permissive IAM policies

2. ScoutSuite (Multi-cloud IAM Auditing) - Open-source security auditing tool

3. CloudFox (AWS Attack Path Analysis) - Enumerate AWS attack paths

4. Prowler (AWS Security Best Practices) - AWS security assessment tool

5. Azure Security Center - Cloud security posture management

6. GCP Security Command Center - GCP security and risk management

7. MITRE ATT&CK Cloud Matrix - Cloud-specific attack techniques

8. AWS CloudTrail Documentation - Enable and analyze audit logs

9. Pacu (AWS Exploitation Framework) - Test your AWS security (Red Team)

10. ROADtools (Azure AD Reconnaissance) - Azure identity enumeration toolkit