AWS Credentials File Grab for 2026-03-10

Mar 10, 2026 WebExploit

Last Updated: 12:12 UTC

Direct requests for /.aws/credentials — the AWS CLI credential store. Long-term AWS access keys in this file grant full programmatic access to the associated AWS account. Widely targeted in automated cloud credential harvesting campaigns.

MITRE ATT&CK

Tactic: Credential Access (TA0006)
Technique: T1552.005 — Cloud Instance Metadata API

Observed URIs

/.aws/credentials
/root/.aws/credentials
/~/.aws/credentials

Attackers by Country

IP Address : ASN : City/Provider

185.177.72.13 : ASNone : Congleton
185.177.72.56 : ASNone : Congleton
34.142.251.255 : AS396982 google : United States of America
45.148.10.244 : AS48090 pptechnology limited : Amsterdam
45.153.34.43 : AS44592 skylink data center bv : Germany

Share on: