If you detect fetch-url-file-3A-2F-2F-2Froot-2F.aws-2Fconfig in your logs or you have been targeted:
The .aws/ directory is the standard storage location for the AWS Command Line Interface (CLI) and AWS SDK setups. Targeted File Path Sensitive Data Exposed Impact Level /root/.aws/config Region configs, assumed role names, profiles (Reconnaissance) /root/.aws/credentials Hardcoded Access Keys and Secret Keys Critical (Total Compromise) fetch-url-file-3A-2F-2F-2Froot-2F.aws-2Fconfig
With a valid aws_access_key_id and aws_secret_access_key , an attacker gains the same permissions as the legitimate user – often to all AWS resources: If you detect fetch-url-file-3A-2F-2F-2Froot-2F
. It requires a session token, making SSRF much harder to execute. IAM Roles: Never store hardcoded keys in .aws/config IAM Roles: Never store hardcoded keys in
Article last updated: June 2026
Some developers think, “Our config file is not in /root/.aws/config , it’s somewhere else.” Attackers don’t stop at one path. They will try: