IAM eventual‑consistency exploited in AWS
Attackers are abusing IAM eventual-consistency windows in AWS to backdoor accounts during policy-update delays, creating persistence and blind spots for CloudTrail-based detection explained. That pattern matters for GovCloud/IL hardening where timed policy changes and automated deployments can widen attack surfaces if not monitored for transient privileges.
OFFENSAI [published Dec 7, 2025] measured a predictable ~3–4 second IAM propagation delay in public regions (tested across us‑east‑1 and eu‑central‑1). offensai.com CloudTrail records the deletion call and the attacker’s follow‑on API activity in sequence, yet the enforcement lag still allowed credential use and new‑key creation before revocation fully propagated during OFFENSAI’s tests. offensai.com OFFENSAI’s analysis shows the consistency gap affects access‑key deletion plus policy attach/detach, role assumption/creation/deletion and login‑profile changes, and demonstrated that inline deny policies (e.g., AWSDenyAll) can be observed and removed in the window; the research therefore recommends account‑level Service Control Policies (SCPs) for quarantine because attackers cannot remove SCPs. offensai.com After responsible disclosure, AWS applied partial mitigations and documentation updates (AWS acknowledged changes in April 2025 and a subsequent update reduced re‑creation of keys), but independent retests reported residual gaps as of early December 2025; defensive playbooks should prefer roles/STS short‑term credentials and bake propagation‑aware waits and SCP‑based containment into automated IR runbooks. technewscentre.com
