Tales from the cloud trenches: Unwanted visitor

Attackers used a compromised AWS long-term access key to obtain console access via STS federation and sign-in tokens, created a deceptively named role (SupportAWS) that allowed assumption by an external malicious account (713521355166), attached AdministratorAccess, and created an administrative IAM user (supdev) to persist. They enumerated AWS SES (GetAccount, ListEmailIdentities, GetSendQuota) and used multiple IPs/VPN to evade detection; the report includes IP addresses, attacker account ID, and created user/role names as indicators and provides detection guidance.