From CLI to console, chasing an attacker in AWS

Expel’s SOC detected unauthorized access into one of their customer’s Amazon Web Services (AWS) environments. The attacker used a long-term access key to gain initial access. Once they got in, they were able to abuse the AWS Identity and Access Management (IAM) service to escalate privileges to administrative roles and create two new users and access keys — creating a foothold in their environment. However, Expel stopped them before the attacker was able to get any further.

https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/