AWS Credentials File Grab for 2026-02-21

Last Updated: 12:00 UTC

Direct requests for /.aws/credentials — the AWS CLI credential store. Long-term AWS access keys in this file grant full programmatic access to the associated AWS account. Widely targeted in automated cloud credential harvesting campaigns.

MITRE ATT&CK

Tactic: Credential Access (TA0006)
Technique: T1552.005 — Cloud Instance Metadata API

Observed URIs

• /.aws/credentials
• /root/.aws/credentials
• /home/*/.aws/credentials
• /~/.aws/credentials

Attackers by Country

IP Address : ASN : City/Provider

• 136.0.213.103 : AS18779 egihosting : United States of America

• 185.177.72.13 : ASNone : Congleton

• 195.178.110.160 : AS30823 combahton gmbh : Reston

• 195.178.110.64 : AS30823 combahton gmbh : Reston

• 45.148.10.238 : AS48090 pptechnology limited : Amsterdam

• 93.123.109.214 : AS48584 sarnica net : Bulgaria