HackTricks Cloud
HackTricks Training Twitter Linkedin Sponsor

AWS - IAM Persistence

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

IAM

For more information access:

pageAWS - IAM, Identity Center & SSO Enum

Common IAM Persistence

  • Create a user

  • Add a controlled user to a privileged group

  • Create access keys (of the new user or of all users)

  • Grant extra permissions to controlled users/groups (attached policies or inline policies)

  • Disable MFA / Add you own MFA device

  • Create a Role Chain Juggling situation (more on this below in STS persistence)

Backdoor Role Trust Policies

You could backdoor a trust policy to be able to assume it for an external resource controlled by you (or to everyone):

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "*",
                    "arn:aws:iam::123213123123:root"
                ]
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

Backdoor Policy Version

Give Administrator permissions to a policy in not its last version (the last version should looks legit), then assign that version of the policy to a controlled user/group.

Backdoor / Create Identity Provider

If the account is already trusting a common identity provider (such as Github) the conditions of the trust could be increased so the attacker can abuse them.

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

PreviousAWS - EFS PersistenceNextAWS - KMS Persistence

Last updated