Create an IAM Roles Anywhere trust anchor
MITRE ATT&CK Tactics
- Privilege Escalation
Establishes persistence by creating an IAM Roles Anywhere trust anchor. The IAM Roles Anywhere service allows workloads that do not run in AWS to assume roles by presenting a client-side X.509 certificate signed by a trusted certificate authority, called a "trust anchor".
Assuming IAM Roles Anywhere is in use (i.e., that some of the IAM roles in the account have a trust policy trusting the IAM Roles Anywhere service), an attacker creating a trust anchor can subsequently assume these roles.
- Create an IAM role that can be used by IAM Roles Anywhere (see docs)
- Create an IAM Roles Anywhere trust anchor
- Create an IAM Roles Anywhere profile
Identify when a trust anchor is created, through CloudTrail's