EC2 and IAM jacking? Old Hat
“For the past few years when a threat actor obtained an exposed long-lived AWS access key (AKIA) they would almost always touch a few AWS services first” said Permiso. Theser were chiefly Simple Email Service (SES) for spam campaigns; EC2 resource hijacking “mainly for crypto mining” and IAM services to conduct privilege escalation or persistence techniques.

“In the past six (6) months; however, we have observed a new contender entering the ring as a top-targeted AWS service, Bedrock.”