an AWS security breach that severely impacted a growing SaaS company. An attacker gained access to administrator-level credentials and exploited architectural flaws to compromise both staging and production environments. The incident led to data exfiltration, deletion of critical resources and backups, and a week-long production outage. Despite having some AWS security best practices in place, the company’s security controls were improperly configured, allowing the attacker to move laterally and cause extensive damage.
The root cause was traced to leaked IAM access keys with AdministratorAccess. Poor architectural choices—such as using a single AWS account for all resources, exposing RDS databases to the internet, and insufficient log protection—amplified the attacker’s ability to operate undetected. The attacker employed various tactics including VPN-based obfuscation, privilege abuse, log deletion, and credential misuse.