[stingraycharles]

Wait, so they managed to make AWS trigger a request on their own bucket using AWS internal credentials, and they extrapolate that this means they now have access to $everything ?

[andrewguenther]

Even worse, they got AccessDenied when making that request and then extrapolated that they have access to $everything

[stingraycharles]

That’s ridiculous, it’s entirely possible that these are one-time credentials for a single purpose and/or severely limited in scope.

Not saying that it’s a certainty it’s not, but if you make such a claim, you should better have some evidence to back it up.