S3 data exfiltration

Datadog observed an attacker leveraging a compromised IAM user access key to gain initial access to an AWS environment, at which point they checked SES quotes and enumerated cloud identities. The threat actor proceeded to create a new admin user. The above was quick and therefore most likely automated via scripting. The attacker then manually enumerated VMs and other resources, and attempted to use EC2 Instance Connect to gain access to VMs. The actor downloaded data from S3 buckets, attempted to spin up new VMs, and created additional admin users.