You’re reviewing an AWS account. You need to check Lambda security. What are the attack vectors? What misconfigurations should you look for? What CLI commands give you the full picture?
You open AWS docs. Then a blog post. Then another one from 2022 that may or may not still apply. Then Stack Overflow. Four tabs later you have half the answer.
Multiply that by 54 services.
I put everything in one place.
What’s a security card?
One page per AWS service. Each card has six sections:
- Attack vectors: how the service gets compromised in practice
- Misconfigurations: the stuff that keeps showing up in audits
-
Enumeration commands:
**_aws cli_**commands, copy-paste ready - Privilege escalation: how initial access turns into something worse
- Persistence: how attackers stay in
- Detection indicators: CloudTrail events and GuardDuty findings to watch
Plus a risk score, good vs. bad policy examples side by side, and defense recommendations.
tocconsulting.fr/security-cards. No signup. No email. Just open it.
Example: S3
Open the S3 card. You get:
Attack vectors: bucket policy manipulation, cross-account access abuse, SSE-C ransom (yes, that’s a thing now).
Misconfigurations: **_BlockPublicAccess_** off is the obvious one. But also wildcard principals in bucket policies, missing encryption enforcement, no access logging.
CLI commands :
aws s3api get-bucket-policy --bucket my-bucket
aws s3api get-public-access-block --bucket my-bucket
aws s3api get-bucket-acl --bucket my-bucket
Detection: CloudTrail management events like PutBucketPolicy, DeleteBucketPolicy, and PutBucketEncryption are logged by default. Enable S3 data events to catch object-level activity like GetObject and PutObject. Copy both into your alerting rules.
Same structure for all 54 services.
What’s covered
9 categories:
| Category | Services |
|---------------------|-------------------------------------------------------------------------------------------|
| Identity & Security | IAM, KMS, Secrets Manager, STS, Cognito, ACM, Directory Service, Organizations, GuardDuty |
| Compute | EC2, Lambda, ECS, EKS, Batch, CodeBuild, App Runner, Amplify |
| Storage | S3, EBS, EFS, Backup |
| Database | RDS, DynamoDB, ElastiCache, OpenSearch, Redshift, MemoryDB |
| Networking | VPC, ELB, CloudFront, API Gateway, Route 53, AppSync, Network Firewall, WAF |
| Analytics | Glue, Athena, Kinesis, MSK, Lake Formation |
| Integration | SNS, SQS, EventBridge, Step Functions, Transfer Family, DataSync |
| Monitoring | CloudTrail, CloudWatch, Inspector, Config, SSM |
| AI/ML | SageMaker, Bedrock |
The usual suspects, but also the ones nobody audits: Transfer Family, Lake Formation, AppSync, MemoryDB. Until someone exploits them.
Numbers
- 54 services
- 500+ attack vectors
- 300+ CLI commands
- 200+ detection indicators
Use it however you want
As an audit checklist. As a pentest reference. As a pre-deployment review. Print the detection indicators and pin them next to your SIEM. Whatever works.
Goes with the whitepaper
I also wrote a whitepaper covering AWS security strategy for 2026, IAM, Zero Trust, agentic AI threats, compliance mapping. The cards give you per-service details. The whitepaper gives you the big picture.
tocconsulting.fr/whitepaper. Also free. Also no gate.
Links
- Security Cards: https://tocconsulting.fr/security-cards
- Whitepaper: https://tocconsulting.fr/whitepaper
Top comments (0)