https://hackaws.cloud/blog Technical analysis of AWS security incidents, blast radius patterns, and cloud attack surface insights. en-us Mon, 16 Mar 2026 00:00:00 GMT https://hackaws.cloud/blog/ssrf-credential-theft-blast-radius-hackerone https://hackaws.cloud/blog/ssrf-credential-theft-blast-radius-hackerone Mon, 16 Mar 2026 00:00:00 GMT We analyzed 1,169 AWS-related HackerOne reports. The dominant pattern: SSRF or leaked credentials become full infrastructure access because nobody measured the blast radius of the compromised identity. blast-radius ssrf iam credential-exposure https://hackaws.cloud/blog/aws-finally-gave-s3-buckets-their-own-rooms https://hackaws.cloud/blog/aws-finally-gave-s3-buckets-their-own-rooms Sat, 14 Mar 2026 00:00:00 GMT For years, predictable S3 bucket names let attackers squat resources and hijack AWS services. Account-regional namespaces, launched March 2026, eliminate the entire attack class. Here's what changed and what you need to do. s3 iam supply-chain shadow-resources https://hackaws.cloud/blog/blast-radius-lexisnexis-breach https://hackaws.cloud/blog/blast-radius-lexisnexis-breach Mon, 09 Mar 2026 00:00:00 GMT A single ECS task role with read access to every secret in the account. The LexisNexis breach is a textbook case of why blast radius validation matters. blast-radius iam secrets-manager breach-analysis https://hackaws.cloud/blog/capital-one-ssrf-imds-blast-radius https://hackaws.cloud/blog/capital-one-ssrf-imds-blast-radius Sat, 07 Mar 2026 00:00:00 GMT In 2019, a single SSRF vulnerability turned into 106 million stolen records. AWS shipped IMDSv2. Seven years later, half of EC2 instances still don't enforce it, and attackers have industrialized the technique. blast-radius ssrf iam imds breach-analysis