Static cloud credentials and TruffleNet: what IAM teams missed

TL;DR: TruffleNet used stolen AWS credentials, valid API calls, and trusted services like SES to run business email compromise at scale, showing how static cloud identities can be abused without malware or a zero-day, according to Defakto Security. The real failure is architectural: long-lived credentials still outlast the runtime context they were meant to represent.

NHIMG editorial — based on content published by Defakto Security: TruffleNet and cloud abuse at scale, an identity architecture failure

By the numbers:

• 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job.

Questions worth separating out

Q: What breaks when cloud credentials are valid outside their original workload?

A: When a cloud credential can be reused outside the workload that issued it, the identity layer stops distinguishing legitimate execution from attacker replay.

Q: Why do long-lived cloud secrets increase fraud risk in trusted services?

A: Long-lived secrets increase fraud risk because they let attackers operate inside the trust boundary of services like mail delivery, storage, and automation platforms.

Q: How do security teams know if cloud identity controls are failing?

A: The clearest sign is when a stolen credential can be validated, reused, and operationalised from infrastructure that has no relationship to the original workload.

Practitioner guidance

• Eliminate long-lived cloud secrets from high-risk workflows Prioritise AWS access keys and service credentials that can be reused outside their original workload or pipeline.
• Tighten SES and other trusted outbound permissions Review which machine identities can send mail, verify identities, or import signing material.
• Measure identity blast radius before the next audit cycle Map the downstream actions available to each privileged cloud identity, including validation, email sending, and identity configuration.

What's in the full article

Defakto Security's full analysis covers the operational detail this post intentionally leaves for the source:

• The sequence of AWS identity validation and SES abuse that enabled authenticated fraud.
• The specific trust assumptions around verified senders, quotas, and signing material that attackers exploited.
• The business impact areas, including wire fraud, operational disruption, and audit exposure.
• The vendor's architectural argument for dynamic, ephemeral identity instead of static secrets.

👉 Read Defakto Security's analysis of TruffleNet and cloud identity abuse at scale →

Static cloud credentials and TruffleNet: what IAM teams missed?

Explore further

View Full Forum →  |  NHI Foundation Course →