About
An attacker with access to your AWS account can create an IAM role to persist their access in your environment.
Understanding Impact
Business Impact
When an attacker creates an IAM role in your environment, they may continue to have access to your environment for an extended period of time even when the root cause of the breach is identified and fixed.
Technical Impact
Attackers frequently need persistent means to keep access to your environment for an extended period of time. Otherwise, they might lose access quickly, for instance, when the compromised credentials are temporary STS ones.
In that context, an attacker can create an IAM role with a malicious trust policy, allowing the role to be assumed from an attacker-controlled AWS account.
Detection
You can detect when a new IAM role is created using the CloudTrail event CreateRole. This event contains a field requestParameters.assumeRolePolicyDocument that embeds the trust policy of the role. You can use this field to detect when a role is created with a malicious trust policy.
You can also use AWS IAM Access Analyzer which generates a finding when a role can be assumed from a previously-unseen AWS account.
Reproduce the attack
You can easily reproduce this attack in a self-contained manner with Stratus Red Team using the following command:
stratus detonate aws.persistence.iam-create-backdoor-roleSee also the related documentation.
How Datadog can help
Cloud SIEM
Datadog Cloud SIEM detects this attack using the following out-of-the-box rules:
References
Create a backdoored IAM Role
stratus-red-team.cloud
The curious case of DangerDev: Role Creation
invictus-ir.com