Demo of SSRF methodology of a website attack to takeover temporary AWS credentials. We will cover two demo’s showing how we can hijack access to EC2 using reserve shell with userdata script. Moreover we will follow approach to inject malicious code to Lambda function without having permissions to update code. End of session will be dedicated to show some examples of JSON policies solving most popular challenges regarding permissions in AWS.