AWS - IAM Persistence

{% hint style="success" %} Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

{% endhint %}

IAM

For more information access:

{% content-ref url="../aws-services/aws-iam-enum.md" %} aws-iam-enum.md {% endcontent-ref %}

Common IAM Persistence

Create a user
Add a controlled user to a privileged group
Create access keys (of the new user or of all users)
Grant extra permissions to controlled users/groups (attached policies or inline policies)
Disable MFA / Add you own MFA device
Create a Role Chain Juggling situation (more on this below in STS persistence)

Backdoor Role Trust Policies

You could backdoor a trust policy to be able to assume it for an external resource controlled by you (or to everyone):

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "*",
                    "arn:aws:iam::123213123123:root"
                ]
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

Backdoor Policy Version

Give Administrator permissions to a policy in not its last version (the last version should looks legit), then assign that version of the policy to a controlled user/group.

Backdoor / Create Identity Provider

If the account is already trusting a common identity provider (such as Github) the conditions of the trust could be increased so the attacker can abuse them.