Cached AWS Access Key Could Expose 98% of Cloud Entities, Researchers Warn
A routine cached AWS access key on a single Windows machine could have exposed 98% of a company's cloud entities, highlighting identity-based attack paths from normal credential caching.
A cached AWS access key on a single Windows machine could have opened a path to 98% of a company's cloud entities, according to new research. The key was stored automatically through normal user login—standard AWS behavior—without any misconfiguration or policy violation. Yet it was easily accessible to a minor-league attacker, demonstrating how routine credential caching creates identity-based attack paths.
The scenario underscores the risk of overprivileged access keys in cloud environments. In this case, the cached key had broad permissions, allowing an attacker who gained access to the Windows machine to pivot into the cloud and compromise nearly all entities. The research highlights that such keys are often left with excessive privileges, making them high-value targets.
Identity-based attacks are increasingly common as organizations adopt cloud services. Attackers target cached credentials, session tokens, and API keys to bypass perimeter defenses. The AWS key in question was not misconfigured—it was simply too powerful for the user's role, a common issue known as overprivileged access.
To mitigate such risks, experts recommend implementing least-privilege access policies, rotating credentials frequently, and monitoring for anomalous use of access keys. Tools like AWS IAM Access Analyzer can help identify overprivileged roles. Additionally, organizations should enforce multi-factor authentication and use short-lived credentials where possible.
The research serves as a reminder that even routine operations can introduce significant risk. As cloud adoption grows, securing identity and access management becomes critical to preventing lateral movement and data breaches.