Sonrai Security Releases Industry-First Risk Insights Engine 👉
Learn More
Search Login
Sign In Sign Up for Free

Interactive Product Tour

interactive tour Start a Tour Get a Demo

Interactive Product Tour

interactive tour Start a Tour Get a Demo
Blog
>
Back to Blog

AWS Ransomware: Why CNAPPs & Traditional PAM Miss the Mark

Nigel Sood
September 19, 2025
5 mins to read
Ransomware Blog

TL;DR: Cloud Ransomware in AWS

  • Ransomware has shifted from malware payloads to abusing cloud identities and privileges.
  • AWS is a prime target because its granular privileges can be weaponized to encrypt, delete, or lock data.
  • Traditional defenses fail: CNAPPs, traditional PAM, and AWS’s own tools reveal risks but don’t stop active abuse.
  • Cloud PAM is required. Continuous discovery, least-privilege enforcement, Just-in-Time, and default deny block malicious activity.

The Cloud Ransomware Problem

Ransomware in the cloud is fundamentally different from ransomware on servers or endpoints. Instead of relying on malware payloads, attackers: 

  • Compromise IAM identities through stolen or misused credentials. 
  • Abuse built-in AWS privileges to escalate access and move laterally. 
  • Use legitimate cloud APIs to encrypt, delete, or lock data away from its owners.

In this new model, every action looks like normal cloud activity. There’s no malware payload to scan for and no unusual binaries to flag. That’s what makes cloud ransomware difficult to detect with traditional defenses. It hides in plain sight, inside the permissions your environment already allows.

Why the Cloud Expands the Attack Surface

AWS provides extremely granular permissions to support automation. On their own, these permissions seem harmless. But when combined across users, roles, and services, they create the foundation of privilege.

That’s where the problem begins. As environments grow, permissions pile up, and identities, especially machine identities, often accumulate more access than they require. This over-privileged access is difficult to track, rarely reviewed, and almost never restricted continuously.

For attackers, it’s an ideal target. With a stolen credential, they can inherit excessive privileges and immediately use AWS’s own capabilities to escalate access, move laterally, and lock down data. What was intended to enable automation instead expands the attack surface and gives ransomware room to operate.

Privileged AWS Permissions Abused in Ransomware

Attackers don’t need hundreds of permissions, just a handful of powerful ones. While using `s3:GetObject` and `kms:Decrypt` to retrieve target data, and then using `s3:PutObject` with customer-provided keys (SSE-C) to encrypt, is the simplest and most direct example of how a permission can be used to conduct a ransomware attack, the following AWS permissions are less widely known (or secured) and can have the same impact: 

PermissionPrivilege GrantedHow Attackers Abuse It in Ransomware Attacks
s3:PutBucketPolicyModify or replace bucket access policiesAttackers  can use this permission to gain access to additional buckets or remove a bucket’s encryption controls.
kms:ReEncryptFromReplace the KMS key that protects a given ciphertextWhile S3 ransomware does require `kms:Decrypt` as part of the re-encryption process, ransomware targeting services with direct access to existing ciphertext can instead leverage `kms:ReEncryptFrom` to rotate the ciphertext’s encryption key entirely within the KMS service.
s3:PutLifecycleConfigurationSet or update the lifecycle configuration of a bucketAttackers can use lifecycle configurations to schedule the deletion of objects. This can be used as a stealthy way to delete data, but has also been used as a pressure tactic to add urgency to ransom demands.

Real-World Impact

  • Privilege Escalation: By modifying S3 policies, attackers can strip away protections and gain access to sensitive data. This risks exposing critical data, disrupting operations, and driving up incident response and recovery costs.
  • Data Encryption: Re-encrypting critical data with attacker-controlled keys means your teams are locked out of their own information. Productivity halts, services go offline, and attackers can demand ransom payments to restore access.
  • Recovery prevention:  Lifecycle policy abuse allows attackers to schedule stealthy deletions. This eliminates recovery options, adds urgency to ransom demands, and can permanently destroy intellectual property or compliance-critical records.

Cloud ransomware is already a reality. Each of these impacts has direct business consequences. That’s why privileges that look innocuous on paper can become major risk factors in practice.

Why CNAPPs Don’t Protect These Permissions

Cloud-Native Application Protection Platforms (CNAPPs) are valuable for identifying misconfigurations, scanning vulnerabilities, and mapping compliance risks. But when it comes to ransomware tactics leveraging IAM privileges, CNAPPs fall short: 

  • They highlight risk but don’t prevent active exploitation.
  • Their focus is on configurations, not proactive prevention of misuse
  • They can’t enforce continuous least privilege across human and machine identities.

Bottom line: If an attacker has valid credentials with privileged permissions, CNAPPs won’t stop the attack.

Why Traditional PAM Tools Fall Short in the Cloud

Traditional Privileged Access Management (PAM) was designed for a different world—managing human administrator accounts, vaulting passwords, and recording sessions. But in AWS: 

  • Most privileged activity comes from machine identities, not humans. 
  • Temporary credentials and policies govern access, not static passwords. 
  • Attackers can abuse API-driven privileges far faster than PAM can detect.

Traditional PAM is blind to the cloud reality. It can’t: 

  • Monitor every API call across thousands of cloud identities. 
  • Detect privilege escalation buried in IAM role chaining. 
  • Enforce policy-based restrictions without disrupting operations.

Why First-Party Cloud-Native Tools Aren’t Enough

AWS provides visibility tools like Access Analyzer and IAM Access Advisor, but they aren’t built for defense: 

  • They reveal which permissions exist but don’t enforce controls.
  • They lack continuous monitoring of privilege abuse. 
  • They can’t block or quarantine identities.

These tools are necessary but insufficient for blocking a ransomware campaign already in progress.

The Solution: Cloud-Native Privilege Controls

To stop ransomware in AWS, organizations need controls built specifically for cloud IAM. This includes: 

  • Continuous discovery of privileged permissions across users, roles, and services. 
  • Least privilege enforcement at scale to reduce the attack surface. 
  • Policy-based controls that prevent risky entitlements from being exploited. 
  • Just-in-Time access that grants privileged permissions only when needed and revokes them automatically to limit exposure.

This is the evolution of Privileged Access Management: Cloud PAM, purpose-built for machine identities, dynamic permissions, and API-driven abuse.

Interested in learning how Sonrai Security addresses this gap? Contact us to see how we protect against ransomware by controlling AWS privileged permissions.

FAQ

Q: Can ransomware really happen in AWS without malware?

A: Yes. Attackers don’t need to drop malware in the cloud. They can steal or misuse IAM credentials and then use AWS’s own APIs to encrypt, delete, or lock data.

Q: What’s required to defend against ransomware in AWS?

A: Purpose-built cloud PAM. That means continuous discovery of privileged permissions, least-privilege enforcement at scale, Just-in-Time access to limit standing privileges, and proactive blocking of suspicious API activity before it can cause damage. 

Q: What’s the difference between traditional PAM and Cloud PAM?

A: Traditional PAM protects human admins with static credentials, vaults and session recordings. Cloud PAM secures human identities, machine identities and API-driven access in AWS.

Q: Why can’t AWS’s built-in tools like Access Analyzer stop ransomware?

A: They only provide visibility into permissions. They don’t enforce least privilege or block malicious API calls.

Q: My CNAPP already scans my AWS environment. Why isn’t that enough?

A: CNAPPs surface misconfigurations and vulnerabilities but don’t monitor for active abuse of valid credentials. If an attacker logs in with real credentials, CNAPPs won’t stop them.

Q: What’s the best defense against ransomware in AWS right now?

A: Continuous privilege discovery, policy-based enforcement, and denial of risky API calls. That’s what cloud PAM should provide.

Q: Is Cloud PAM the same as Zero Trust in the cloud?

A: They overlap. Zero Trust is the principle of never trusting by default. Cloud PAM operationalizes that in AWS by enforcing least privilege and Just-in-Time access for machine identities and APIs.

secure sensitive permissions

Explore the First Cloud Permissions Firewall
Get Your Free Trial
Sonrai Main Logo

© 2025 Sonrai Security. All rights reserved

Privacy Policy  |  

Sonrai cloud security platform, products and services are covered by U.S. Patent Nos. 10,728,307, 11,134,085, and 12,218,982, together with other domestic and international patents pending. All rights reserved.