Case Study · Cloud Security Testing
All Customer Data at Risk: One IAM Misconfiguration Exposed an Entire AWS Environment
Home → Case Studies → Cloud Security Testing → All Customer Data at Risk: One IAM Misconfiguration Exposed an Entire AWS Environment
Engagement Background
The Situation When We Were Engaged
A 150-person HR technology SaaS company had recently completed a rapid migration from on-premises to AWS. Their platform processed payroll data, PAN numbers, Aadhaar references, bank account details, and employment records for 50,000+ enterprise customers.
An AWS Well-Architected Review 8 months earlier had found configuration deviations but nothing classified as critical. The company had not conducted adversarial cloud security testing.
The trigger was a ₹3.2 crore enterprise deal — whose security questionnaire required ‘independent penetration testing of the cloud environment within the last 12 months.’ The engagement that followed revealed that 100% of customer data was accessible from a single compromised low-privilege service account.
Three publicly accessible S3 buckets contained complete payroll export files, full database backups, and JavaScript bundles with hardcoded third-party API keys — all publicly reachable by anyone who could construct or enumerate their URLs.
Client Profile
Attack Scenario & Methodology
How the Assessment Was Conducted
Assessment Methodology
Technical Findings
What We Found
Each finding documented with proof-of-concept. Root cause and remediation guidance provided for every item.
Lambda execution role had iam:AttachRolePolicy permission. Exploit chain: (1) Call iam:AttachRolePolicy to attach AdministratorAccess to own role; (2) Invoke Lambda; (3) Full account compromise. Time: under 60 seconds. All 50,000+ customers’ data reachable from this single escalation.
PMapper analysis found 13 additional escalation paths (2-hop to 7-hop chains) — including iam:CreatePolicyVersion exploitation, iam:CreateLoginProfile on admin users, ec2:RunInstances with iam:PassRole, and glue:CreateDevEndpoint. Fixing any one path would not have eliminated the risk — architectural redesign required.
Bucket named with company name + ‘exports’ suffix — publicly listable. 847 payroll export files: employee full names, PAN numbers, bank account numbers, IFSC codes, salary breakdowns. ~47,000 individual employee records. Bucket-level ACL set to public-read from a temporary debugging session — never reversed.
Weekly PostgreSQL dump backups (.sql.gz, unencrypted) in a public-read bucket. Complete database of all 50,000+ customer companies’ employee records, all historical payroll data, all authentication data (hashed passwords), all API keys. Accessible to anyone with the URL — object names were predictable.
Static asset bucket (public-read) contained frontend JavaScript bundles. Static analysis found hardcoded keys: payment gateway API key (read transaction history, initiate test transactions), SMS OTP provider key (send arbitrary SMS billed to client), background verification API key (query any individual’s employment verification data).
Security group rule 0.0.0.0/0 on RDS — database protected only by credentials (which were in the public backup bucket).
Attacker activity in ap-south-2, eu-west-2, us-east-2, ap-southeast-3 would generate zero audit trail.
SSRF vulnerability in any hosted application → credential harvest from instance metadata service.
GuardDuty enabled but findings not routed to any alerting system. 8 months of unreviewed findings in console.
Engagement Timeline
Phase-by-Phase Execution
Scoping & Initial Enumeration
Confirmed no evidence of prior compromise via CloudTrail analysis. Mapped AWS account structure across all 7 regions — accounts, services, IAM identities. S3 bucket enumeration: discovered 3 public buckets within 40 minutes using company name pattern variations.
IAM Privilege Escalation Analysis
PMapper analysis of complete IAM graph: discovered 14 distinct escalation paths. Primary path (Lambda → AdministratorAccess) confirmed exploitable in under 60 seconds. Escalation immediately documented and communicated to client via secure channel.
Data Exposure Scope Assessment
Confirmed contents of all 3 public S3 buckets. Assessed RDS accessibility. Mapped lateral movement paths from EC2. Identified CloudTrail blind spots and GuardDuty monitoring gaps.
Reporting & Immediate Remediation
Prioritised findings delivered. Worked with engineering team on same-day IAM remediation — 3 most critical escalation paths closed within 24 hours. S3 public access revoked same day. JavaScript API keys rotated.
Full Remediation Programme
All 14 IAM escalation paths closed. SCPs implemented at account level. IMDSv2 enforced. CloudTrail all-regions enabled. GuardDuty routed to PagerDuty. Enterprise deal documentation package delivered.
Legal & Regulatory Risk Analysis
Why This Mattered Legally
SIRI Law LLP’s integrated practice means every technical finding is analysed for its legal and regulatory implications — providing a complete risk picture, not just a vulnerability list.
DPDPA 2023 — Sensitive Personal Data Exposure
PAN numbers, Aadhaar references, bank account details, and salary data in publicly accessible S3 buckets constituted failure to implement adequate safeguards for sensitive personal data under DPDPA Section 8(4). Duration of exposure: 8–18 months.
Aadhaar Act 2016 — Disclosure Prohibition
Aadhaar numbers in the exposed payroll export files are regulated by the Aadhaar Act, 2016, which prohibits disclosure to any entity not authorised by the Act. UIDAI complaints could have been filed by any individual whose Aadhaar reference was exposed.
IT Act 2000 — Section 43A Liability
Corporate bodies negligently failing to implement reasonable security practices for sensitive personal data (salary, bank account, PAN — all SPDI Rules sensitive data) are liable for damages to affected persons. 50,000+ customer companies’ employees affected.
Customer Contractual Breach
Enterprise SaaS agreements represented adequate security standards. Publicly accessible database backups were fundamentally inconsistent with those representations. Discovery by any customer would have triggered immediate contract termination and damages claims.
Remediation Programme
How We Fixed It
✦Immediate — Day 1 (Same Day)
All 3 public S3 buckets: Block Public Access enabled, ACLs revoked within hours of report delivery.
S3 Block Public Access enabled at AWS account level — no future public bucket creation possible.
All 3 hardcoded API keys rotated — payment gateway, SMS provider, background verification service all notified.
RDS security group rule: 0.0.0.0/0 replaced with specific application subnet CIDR.
✦Week 1 — IAM Architecture Remediation
All 14 IAM privilege escalation paths remediated — Lambda role stripped of iam:AttachRolePolicy, replaced with iam:PassRole scoped to specific role ARNs.
IAM permission boundaries implemented for all service roles.
AWS SCPs via Organizations: account-level guardrails preventing IAM wildcard policy creation.
Automated PMapper runs in CI/CD pipeline — flags new escalation paths on every IAM change.
✦Weeks 2–4 — Systematic Hardening
IMDSv2 enforced on all EC2 instances — IMDSv1 disabled.
CloudTrail enabled in all 7 regions — CloudWatch alerts for sensitive API calls.
GuardDuty findings routed to PagerDuty — on-call for all High+ severity findings.
Secrets Manager rotation: 30-day rotation for all database and service credentials.
VPC Flow Logs enabled — centralised in dedicated security account.
Business Outcomes
What the Client Achieved
Enterprise Deal Executed — ₹3.2 Crore ARR
The assessment satisfied the enterprise customer’s security questionnaire requirement. Contract executed within 30 days of assessment completion.
₹250 Crore DPDPA Exposure Eliminated
All public S3 data secured before any Data Protection Board enforcement trigger. Zero evidence of prior external exploitation confirmed by CloudTrail.
47,000 Employee Records Secured
PAN numbers, bank accounts, Aadhaar references of 47,000 employees across 340 enterprise companies protected from further exposure.
14 IAM Escalation Paths Closed
Fundamental IAM architecture rebuilt — not patched. Automated ongoing monitoring via PMapper CI/CD integration prevents recurrence.
8–18 Months of Exposure Remediated
Three public S3 buckets — some exposed since migration 18 months earlier — secured before adversary discovery. Zero exploitation evidence.
Compliance Frameworks
Standards Applied in This Engagement
Why Choose SIRI Law LLP
Unique Advantage
Qualified advocates — legally privileged investigations
Certified security engineers — OSCP, CISSP, CEPT, CEH
DPDPA + CERT-In compliance integrated into every engagement
24/7 incident response availability
Director GRC & Legal at COE Security — Adv. Chetan Seripally
Facing a Similar Security Challenge?
Contact SIRI Law LLP for a confidential scoping call with our legal and technical experts.