AWS Credentials File Grab for 2026-03-23

Mar 23, 2026 WebExploit

Last Updated: 08:17 UTC

Direct requests for /.aws/credentials — the AWS CLI credential store. Long-term AWS access keys in this file grant full programmatic access to the associated AWS account. Widely targeted in automated cloud credential harvesting campaigns.

MITRE ATT&CK

Tactic: Credential Access (TA0006)
Technique: T1552.005 — Cloud Instance Metadata API

Observed URIs

  • /.aws/credentials
  • /root/.aws/credentials
  • /home/*/.aws/credentials
  • /~/.aws/credentials
  • /admin/config?cmd=cat+/root/.aws/credentials

Attackers by Country

United Kingdom of Great Britain and Northern Ireland: 2Ukraine: 1
United Kingdom of Great Britain and Northern Ireland266.7%
Ukraine133.3%

IP Address : ASN : City/Provider

Share on: