Exploiting Cloud Provider Vulnerabilities for Initial Access
Nick Frichette
DEF CON 32 Main Stage · Day 1 · Main Stage
In his DEF CON 32 talk, Nick Frichette, a security researcher at DataDog specializing in AWS offensive security, unveiled a novel approach to gaining initial access to AWS accounts: exploiting vulnerabilities within AWS services themselves. Moving beyond the "boring" and prevalent attack vectors like leaked access keys, exposed S3 buckets, or compromised EC2 instances—which Frichette estimates account for **95%** of real-world AWS breaches—this presentation focused on a more sophisticated strategy. The core idea is to abuse the pre-existing trust relationships that AWS Identity and Access Management (IAM) roles establish with various AWS services, effectively "kicking in the door to the cloud" by weaponizing a cloud provider's own infrastructure against its customers.
AI review
This is a prime example of real research. Frichette goes beyond the noise of common cloud misconfigurations to dive into vulnerabilities within the cloud provider's own services. The detailed breakdown of a cross-account PassRole bypass via a confused deputy in AppSync is a critical, novel finding that forces defenders to rethink their trust models. This isn't just a vulnerability report; it's a foundational lesson in advanced cloud exploitation and defense that will be discussed for years.