Cloud Infrastructure Access Authority Failure Through Misconfigured Firewall Enabling Credential Theft via Metadata Service at Capital One

Capital One had migrated significant portions of its infrastructure to Amazon Web Services, becoming one of the most prominent enterprise cloud adopters in the financial services industry. The company deployed a multi-layered security architecture: a web application firewall to filter and inspect incoming traffic, IAM roles to control which services could access which resources, encryption for data at rest in S3 storage buckets, and logging and monitoring through AWS CloudTrail. The security architecture was not absent — it was extensive and represented a substantial investment in cloud security.

Paige Thompson had previously worked as a systems engineer at Amazon Web Services, giving her familiarity with AWS architecture, the metadata service, IAM role mechanics, and common cloud security configurations. In March and April 2019, she scanned for and identified Capital One's misconfigured WAF. The misconfiguration allowed server-side request forgery — the ability to cause the WAF to make requests to internal services on the attacker's behalf, including the AWS instance metadata service, which provides temporary credentials to the IAM role assigned to that instance.

Thompson exploited the SSRF vulnerability to query the AWS metadata service through the misconfigured WAF. The metadata service returned temporary security credentials for the IAM role attached to the WAF instance. This role had been configured with permissions that extended beyond what the firewall needed for its function — specifically, the role had access to S3 buckets containing customer data. Using the temporary credentials, Thompson accessed approximately 700 S3 folders and downloaded data containing records for approximately 106 million Capital One customers and applicants, including approximately 140,000 Social Security numbers and 80,000 linked bank account numbers.

Thompson did not keep the breach secret. She posted information about the access on social media platforms and a Slack channel under a handle traceable to her identity. On July 17, 2019, a third party who saw her posts reported the information to Capital One through the company's responsible disclosure email address. Capital One confirmed the unauthorized access and notified the FBI. Thompson was arrested on July 29, 2019 and subsequently convicted of wire fraud, unauthorized access to a protected computer, and other charges.

The security controls existed at each layer. The WAF was deployed to protect the web application. The IAM system controlled access to AWS resources. Encryption protected data at rest. Logging captured API calls. No single control was absent. The failure was in how the controls were configured and how they interacted. The WAF misconfiguration allowed SSRF — a well-known vulnerability class. The IAM role assigned to the WAF had permissions broader than its operational function required — it could access S3 buckets it had no legitimate reason to read. The metadata service provided credentials to any process running on the instance without distinguishing between the intended application and an attacker's SSRF request.

Each component behaved according to its configuration. The WAF processed the SSRF request because its configuration permitted it. The metadata service returned credentials because that is what the metadata service does for any request from the instance. The IAM role granted S3 access because the role's policy included that permission. The S3 buckets delivered data because the credentials presented had the required permissions. The security architecture was a chain of correctly functioning components whose individual configurations, composed together, created a path from the public internet to 106 million customer records. The gap was not in any single control. The gap was in the composition — the way the controls were layered, configured, and connected to each other.

Thompson was convicted in June 2022. Capital One was fined $80 million by the Office of the Comptroller of the Currency for the bank's failure to establish effective risk assessment processes before migrating to the cloud. The company reached a $190 million settlement with affected customers. AWS subsequently made IMDSv2 — a version of the metadata service that requires session tokens and mitigates SSRF-based credential theft — available by default, though adoption remained voluntary. The case became the primary reference for cloud security misconfiguration risk and the principle that layered security controls must be evaluated not only individually but in composition — the security of the architecture is determined by how the layers interact, not by whether each layer independently exists.