What starting position does this attack require?

The first step is Authenticate to CI/CD (GitHub / GitLab) (T1078) — a initial access primitive. Assumed environment: attacker found a publicly readable S3 bucket.

What is the final impact of this kill-chain?

The final step lands on Push attacker workflow that runs against AWS role (C-ENV-LEAK-PIPELINE), which falls under Initial Access. From here, an operator typically pivots into post-exploitation or maintains persistence.

How can defenders detect or prevent this attack?

Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

← RegistryDossier · 7 steps · 6 edges

Approved

Public bucket → CI/CD secret leak → cloud takeover

A public S3 bucket hosts a build artefact containing CI tokens / .env files. Use them to push to the prod CI/CD pipeline and gain a deploy role.

Filed by AD Knowledge BasePublished 2026-05-26

§ Kill-chainDrag · zoom · scroll

Initial Access

Authenticate to CI/CD (GitHub / GitLab)

T1078 · Valid Accounts

Reconnaissance

Grep artefacts for credentials

W-RECON-JS-SECRETS · Hardcoded Secrets in JS Bundles

Reconnaissance

Find public bucket

C-PUBLIC-BUCKET-HUNT · Public Bucket Hunting

Collection

ListObjects on bucket

C-S3-EXFIL · S3 / Blob / GCS Mass Exfil

Credential Access

Workflow exfils IAM credentials

C-IMDS-V1 · IMDSv1 Credential Theft

Privilege Escalation

Escalate to admin via iam:PassRole

C-AWS-IAM-PASSROLE · AWS iam:PassRole Chain

Initial Access

Push attacker workflow that runs against AWS role

C-ENV-LEAK-PIPELINE · CI/CD Pipeline Secret Leak

§ Context

Assumed environment: attacker found a publicly readable S3 bucket. The org leaks build artefacts and previously embedded secrets in them.

§ Steps

01
Authenticate to CI/CD (GitHub / GitLab)Initial Access
T1078— Valid Accounts
02
Grep artefacts for credentialsReconnaissance
W-RECON-JS-SECRETS— Hardcoded Secrets in JS Bundles
03
Find public bucketReconnaissance
C-PUBLIC-BUCKET-HUNT— Public Bucket Hunting
04
ListObjects on bucketCollection
C-S3-EXFIL— S3 / Blob / GCS Mass Exfil
05
Workflow exfils IAM credentialsCredential Access
C-IMDS-V1— IMDSv1 Credential Theft
06
Escalate to admin via iam:PassRolePrivilege Escalation
C-AWS-IAM-PASSROLE— AWS iam:PassRole Chain
07
Push attacker workflow that runs against AWS roleInitial Access
C-ENV-LEAK-PIPELINE— CI/CD Pipeline Secret Leak

§ References

T1078Valid Accounts

§ Frequently asked

What is the "Public bucket → CI/CD secret leak → cloud takeover" attack path?: A public S3 bucket hosts a build artefact containing CI tokens / .env files. Use them to push to the prod CI/CD pipeline and gain a deploy role. It chains 7 steps drawn from real-world offensive-security techniques.
What starting position does this attack require?: The first step is Authenticate to CI/CD (GitHub / GitLab) (T1078) — a initial access primitive. Assumed environment: attacker found a publicly readable S3 bucket.
What is the final impact of this kill-chain?: The final step lands on Push attacker workflow that runs against AWS role (C-ENV-LEAK-PIPELINE), which falls under Initial Access. From here, an operator typically pivots into post-exploitation or maintains persistence.
How can defenders detect or prevent this attack?: Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

Public bucket → CI/CD secret leak → cloud takeover

§ Context

§ Steps

§ References

§ Frequently asked

§ Related dossiers

Secret echoed to public build log → cloud takeover

Dev workstation → cloud backup keys → encrypted vault store (LastPass 2022)

WAF SSRF → IMDS → S3 mass exfil (Capital One 2019)

SSRF → IMDS → AssumeRole chain → Org admin

Source map exposure → API key leak → cloud takeover