Before we begin, let's define what backdooring really is. In the context of this chapter, it means almost exactly what it sounds like in that we are opening up a backdoor into an environment so that if the frontdoor is closed, we can still get in. In AWS, the backdoor could be any number of things that are covered throughout this chapter, and the frontdoor would be our primary means of access to the environment (that is, compromised IAM user credentials). We want our backdoors to outlast a situation where our compromise is detected by a defender and the compromised user is shut down, because we can still hopefully enter through the backdoor in that case.

As we have demonstrated and used repeatedly in previous chapters, IAM users can be set up with an access key ID and a secret access key that allows them access to the AWS APIs. Best practice is to generally use alternative methods of authentication, such as single sign-on (SSO), which grants temporary federated access to an environment, but best practices aren't always followed. We will continue with a similar scenario to the one we used in the previous chapters, where we had the credentials to one IAM user, Test. We will also continue with the idea that our user has administrator-level access to the environment, through the privilege escalation we exploited in Chapter 10, Privilege Escalation of AWS Accounts Using Stolen Keys, Boto3 and Pacu.