IAM - Persistence

How to maintain persistent aws access leveraging iam

AWS Access Keys

  • AWS IAM users can have up to 2 sets of access keys

  • Consider creating a second pair after compromising the first so that you have a backup if the first keys get burned

# list all iam access keys for a user
aws iam list-access-keys --user-name <iamUserName> --profile <awsProfile>

# create iam access keys
aws iam create-access-key --user-name <iamUserName> --profile <awsProfile>

AWS Trust Policies

  • Consider accessing an IAM Role, which can function across AWS accounts

  • Even if you lose direct access to the target account, you can still assume the role from another account if you've modified the role's Trust Policy

# assume an iam role
aws sts assume-role --role-arn <arnIamRole> --role-session-name <whatever> --profile <awsProfile>

AWS Vulnerable Trust Policies

  • Poorly written IAM policies can lead to unintended behavior

  • Consider this policy which allows the Lambda service from any AWS account to assume this role

  "Version": "2012-10-17",
  "Statement": [
      "Effect": "Allow",
      "Principal": {
	  "AWS": "*",
	  "Service": "lambda.amazonaws.com"},
      "Action": "sts:AssumeRole"

Last updated