AWS cryptomining attacks: what permission controls are teams missing?

TL;DR: A cloud cryptomining campaign is abusing compromised credentials to make privileged AWS API calls, while detection only spots the activity after it begins, according to Sonrai Security. The real gap is not visibility but standing permission to execute high-risk actions that most identities never need.

NHIMG editorial — based on content published by Sonrai Security: Preventing This Week's AWS Cryptomining Attacks and Why Permissions Matter

By the numbers:

• Research shows that 92% of identities granted these privileged permissions never use them.
• Systems with least-privileged AI access had a 17% incident rate vs 76% for over-privileged systems, meaning organisations failing to scope access properly are 4.5x more likely to experience a security incident.

Questions worth separating out

Q: How should security teams stop cryptomining attacks that use valid cloud credentials?

A: Block the privileged API calls that cryptominers need before they can create compute, persistence, or public exposure.

Q: Why do over-privileged cloud identities make cryptomining worse?

A: Because the attacker does not need to break the platform when the identity already has the rights to create workloads, modify instances, or expose functions publicly.

Q: What do teams get wrong about cloud detection in identity attacks?

A: They assume alerts can compensate for excessive access.

Practitioner guidance

• Inventory privileged cloud APIs that can create or persist compute Map actions such as launch template creation, task definition registration, instance modification, and public function exposure.
• Enforce default-deny on rare privileged permissions Treat permissions that almost no identity uses as exception-only rights.
• Move elevation to task-scoped access requests Replace always-on admin-style rights with time-bound requests tied to specific cloud work.

What's in the full article

Sonrai Security's full blog post covers the operational detail this post intentionally leaves for the source:

• The exact AWS API calls used in the cryptomining chain and why each one matters to containment.
• The permission model Sonrai Security describes for blocking privileged actions without breaking legitimate cloud operations.
• The side-by-side testing results showing which attack paths were blocked and which remained open in unprotected accounts.
• The operational workflow for permissions-on-demand, including how approvals, notifications, and re-enablement fit together.

👉 Read Sonrai Security's analysis of AWS cryptomining attacks and cloud permissions →

AWS cryptomining attacks: what permission controls are teams missing?

Explore further

View Full Forum →  |  NHI Foundation Course →