In this chapter, we have looked at how we can establish a means of persistent access to a target AWS environment. This can be done directly, as we have shown with something like adding backdoor keys to other IAM users, or we can use more long-term methods with services such as AWS Lambda and CloudWatch Events. There are many different ways you can establish some kind of persistence in a target AWS account, but sometimes it can just take a little research on the target to determine where might be a good location.

Lambda provides a very flexible platform from which to react and respond to events within our target account, meaning we can establish persistence (or more) as resources are created; however just like we have shown by backdooring EC2 Security Groups, not every backdoor needs to be based on/within the IAM service and can sometimes be a backdoor for alternate kinds of access. This chapter setout to show some common methods of persistence in a way that can help you discover other methods of persistence in your engagements.

Rather than creating new resources in an account, which may be quite noisy to someone paying attention, it is also possible to backdoor existing Lambda functions. These attacks are a little bit more specific to the environment you are targeting and require a different set of privileges, but can be much stealthier and longer-lasting. These methods will be discussed in the next chapter, where we will discuss pentesting AWS Lambda, investigate backdoors and data exfiltration from existing Lambda functions, and more.