From no access at all, to the company Amazon's root account, this talk will teach attendees about the components used in cloud applications like: EC2, SQS, IAM, RDS, meta-data, user-data, Celery; and how misconfigurations in each can be abused to gain access to operating systems, database information, application source code and Amazon's services through it's API. The talk will follow a knowledgeable intruder from the first second after identifying a vulnerability in a cloud-deployed Web application and all the steps he takes to reach the root account for the Amazon user. Except from the initial vulnerability, a classic remote file include in a Web application which grants access to the front-end EC2 instance, all the other vulnerabilities and weaknesses exploited by this intruder are going to be cloud-specific. The tools used by this intruder are going to be released after the talk and will provide the following features: Enumerate access to AWS services for current IAM role Use poorly configured IAM role to create new AWS user Extract current AWS credentials from meta-data, .boto.cfg, environment variables, etc. Clone DB to access information stored in snapshot Inject raw Celery task for pickle attack