User Data Script Persistence
Maintain access to an EC2 instance and it's IAM role via user data scripts.
Leverage stolen credentials to use the AWS Console.
Get IAM Credentials from a Console Session
Convert access to the AWS Console into IAM credentials.
Intercept SSM Communications
With access to an EC2 instance you can intercept, modify, and spoof SSM communications.
How to establish persistence on a Lambda function after getting remote code execution.
Role Chain Juggling
Keep your access by chaining assume-role calls.
S3 File ACL Persistence
Maintain access to S3 resources by configuring Access Control Lists associated with S3 Buckets or Objects.