Establishing persistence in an AWS environment allows you to maintain privileged access, even in scenarios where your active attack gets detected and your primary means of access to an environment is shut down. It's not always possible to stay completely under the radar, so in those situations where we get caught, we need a backup plan (or two, or three, or...). Ideally, this backup plan is stealthy to establish and stealthy to exercise if we need to gain access to the environment again.
There are many techniques and methodologies relating to malware, evasion, and persistence that could be applied to this chapter, but we are going to stick with the different methods we can abuse in AWS and not necessarily the methodology behind a whole red-team-style penetration testing engagement. Persistence techniques in AWS differ greatly from traditional types of persistence, such as on a Windows server, but those techniques (as we already know) can also be applied to any servers within the AWS environment we are attacking.
In this chapter, we are going to focus on persistence within the actual AWS environment, rather than on servers that lie within the environment. These types of persistence include techniques such as backdoor user credentials, backdoor role trust relationships, backdoor EC2 Security Groups, backdoor Lambda functions, and more.
In this chapter, we are going to cover the following topics:
- Backdooring users
- Backdooring role trust relationships
- Backdooring EC2 Security Groups
- Using Lambda functions as persistent watchdogs