Creating a new backdoor IAM role







EXPLOITABILITY Exploitability of a vulnerability measures how easy it is for an attacker to discover and exploit the vulnerability, some might refer to this as likelihood.

IMPACT How impactful to your environment and organization a successful exploitation of this vulnerability is expected to be.




An attacker with access to your AWS account can create an IAM role to persist their access in your environment.

Understanding Impact

Business Impact

When an attacker creates an IAM role in your environment, they may continue to have access to your environment for an extended period of time even when the root cause of the breach is identified and fixed.

Technical Impact

Attackers frequently need persistent means to keep access to your environment for an extended period of time. Otherwise, they might lose access quickly, for instance, when the compromised credentials are temporary STS ones.

In that context, an attacker can create an IAM role with a malicious trust policy, allowing the role to be assumed from an attacker-controlled AWS account.


You can detect when a new IAM role is created using the CloudTrail event CreateRole. This event contains a field requestParameters.assumeRolePolicyDocument that embeds the trust policy of the role. You can use this field to detect when a role is created with a malicious trust policy.

You can also use AWS IAM Access Analyzer which generates a finding when a role can be assumed from a previously-unseen AWS account.

Reproduce the attack

You can easily reproduce this attack in a self-contained manner with Stratus Red Team using the following command:

stratus detonate aws.persistence.iam-create-backdoor-role

See also the related documentation.

How Datadog can help

Cloud SIEM

Datadog Cloud SIEM detects this attack using the following out-of-the-box rules:


Create a backdoored IAM Role

The curious case of DangerDev: Role Creation

Did you find this article helpful?