AWS has introduced a new S3 bucket namespace pattern (prefix-accountid-region-an) that prevents bucketsquatting attacks by binding bucket names to specific AWS accounts and regions. This recommended protection addresses a decade-long vulnerability where predictable bucket naming allowed attackers to register deleted buckets and access sensitive data.
A race condition vulnerability in a web application's file upload feature allowed RCE by exploiting a 2-second window where uploaded files were stored locally before being moved to S3. The modify.php endpoint lacked extension filtering present in upload.php, enabling PHP shell upload followed by rapid re-requests to execute the file during the local storage window before S3 migration.
A complete SSRF-to-RCE exploit chain on AWS Elastic Beanstalk that leverages the EC2 metadata service to extract IAM credentials, then uses those credentials to upload a PHP web shell to an accessible S3 bucket for remote code execution. The attack demonstrates how weak IAM policies can enable escalation from SSRF to full system compromise.