Skip to content

Create a backdoored IAM Role

Platform: AWS


  • Persistence


Establishes persistence by creating a new backdoor role with a trust policy allowing it to be assumed from an external, fictitious attack AWS account.

Warm-up: None.


  • Create a new IAM role with the following trust policy:
  "Version": "2012-10-17",
  "Statement": [
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::193672423079:root"
      "Action": "sts:AssumeRole"
  • Attach the 'AdministratorAccess' managed IAM policy to it.

Note: For safety reasons, the detonation code makes sure that this role has no real effective permissions, by attaching a permissions boundary denying all actions. This could also be achieved with an inline role policy, but using a permissions boundary allows us to use a single API call (CreateRole).



Detonate with Stratus Red Team
stratus detonate aws.persistence.iam-create-backdoor-role


  • Through IAM Access Analyzer, which generates a finding when a role can be assumed from a new AWS account or publicly.

  • Identify a call to CreateRole closely followed by AttachRolePolicy with an administrator policy.

  • Identify a call to CreateRole that contains an assumeRolePolicyDocument in the requestParameters that allows access from an external AWS account. Sample event:

  "eventSource": "",
  "eventName": "CreateRole",
  "requestParameters": {
    "roleName": "malicious-iam-role",
    "assumeRolePolicyDocument": "{\n  \"Version\": \"2012-10-17\",\n  \"Statement\": [\n    {\n      \"Effect\": \"Allow\",\n      \"Principal\": {\n        \"Service\": \"\"\n      },\n      \"Action\": \"sts:AssumeRole\"\n    },\n    {\n      \"Effect\": \"Allow\",\n      \"Principal\": {\n        \"AWS\": \"arn:aws:iam::193672423079:root\"\n      },\n      \"Action\": \"sts:AssumeRole\"\n    }\n  ]\n}"