User Data Script Persistence
Maintain access to an EC2 instance and it's IAM role via user data scripts.
Leverage stolen credentials to use the AWS Console.
Intercept SSM Communications
With access to an EC2 instance you can intercept, modify, and spoof SSM communications.
Role Chain Juggling
Keep your access by chaining assume-role calls.