I’m not sure if I understood you correctly. Anyway, the assumption of the scenario is that you’ve already compromised low privileged IAM principal access keys (see the first part of the series: https://rzepsky.medium.com/playing-with-cloudgoat-part-1-hacking-aws-ec2-service-for-privilege-escalation-4c42cc83f9da). For example one way of accessing the access keys is the SSRF vulnerability. Here you have such scenario to play more with it: https://github.com/RhinoSecurityLabs/cloudgoat/blob/master/scenarios/ec2_ssrf/README.md