IAM Persistence

How to maintain persistent aws access leveraging iam

AWS Access Keys

  • AWS IAM users can have up to 2 sets of access keys
  • Consider creating a second pair after compromising the first so that you have a backup if the first keys get burned
# list all iam access keys for a user
aws iam list-access-keys --user-name <iamUserName> --profile <awsProfile>
# create iam access keys
aws iam create-access-key --user-name <iamUserName> --profile <awsProfile>

AWS Trust Policies

  • Consider accessing an IAM Role, which can function across AWS accounts
  • Even if you lose direct access to the target account, you can still assume the role from another account if you've modified the role's Trust Policy
# assume an iam role
aws sts assume-role --role-arn <arnIamRole> --role-session-name <whatever> --profile <awsProfile>

AWS Vulnerable Trust Policies

  • Poorly written IAM policies can lead to unintended behavior
  • Consider this policy which allows the Lambda service from any AWS account to assume this role
"Version": "2012-10-17",
"Statement": [
"Effect": "Allow",
"Principal": {
"AWS": "*",
"Service": ""},
"Action": "sts:AssumeRole"