How AI Cracks AWS in Under 8 Minutes, Rendering Cloud Defenses Useless

Part 01 – AI‑Assisted Rapid Privilege Escalation

According to Sysdig’s latest threat report, an attacker leveraged a large language model (LLM) to complete a full AWS attack chain—from credential theft, privilege escalation, lateral movement to GPU resource abuse—in less than eight minutes, leaving defenders unable to react.

Sysdig observed that a single credential exposed in a public S3 bucket granted full administrative rights, demonstrating that AI‑driven automation compresses the cloud attack lifecycle from hours to minutes. Acalvio CEO Ram Varadarajan warned that intrusion speed has shifted from days to minutes and that defenses must match the attacker’s rapid reasoning.

Part 02 – Public Bucket to Privilege Escalation

The breach began with an exposed AWS credential in a public S3 bucket containing AI‑related data. The associated IAM user had Lambda invocation rights and limited Amazon Bedrock access, likely created by the victim organization for automated Bedrock tasks.

After obtaining read access, the attacker enumerated AWS services and modified an existing Lambda function to elevate privileges. By injecting malicious code into a function with an over‑permissive execution role, the attacker created a new access key for an admin user and extracted it from the Lambda output.

Sectigo senior researcher Jason Soroko emphasized that the root cause is a basic security lapse: the public bucket exposure, and noted LLM‑generated code fragments with extensive error handling and non‑English comments.

Part 03 – Lateral Movement, LLM Hijacking, and GPU Abuse

With admin rights, the attacker moved laterally across 19 AWS accounts, assuming multiple roles and creating new users to obscure activity, thereby maintaining persistence and complicating detection.

The attacker then targeted Amazon Bedrock, enumerating available models and confirming that model‑call logging was disabled, a hallmark of “LLM hijacking.” The final stage involved resource abuse: after preparing keys and security groups, the attacker launched high‑end GPU instances to run machine‑learning workloads. Although many instances failed due to capacity limits, a costly GPU instance was eventually started, and scripts installing CUDA, training frameworks, and exposing a JupyterLab interface were deployed.

Some code referenced non‑existent repositories, which Sysdig attributed to LLM hallucination.

Part 04 – The Vanishing Defense Window

Keeper Security CISO Shane Barney noted that the most unsettling aspect is not new AI attack techniques but the elimination of the attacker’s hesitation; once legitimate access is obtained, reconnaissance, privilege testing, and lateral movement collapse into a single rapid sequence, erasing traditional buffer time.

Sysdig recommends strict least‑privilege controls for IAM users, roles, and Lambda execution roles; tightly restrict “UpdateFunctionCode” and “PassRole” permissions; ensure no sensitive S3 buckets are public; enable Lambda versioning; turn on Amazon Bedrock model‑call logging; and monitor large‑scale enumeration activity.