Rapid7 Details AWS Persistence Techniques via IAM User Manipulation
Rapid7's latest analysis reveals sophisticated methods attackers use to maintain persistent access within AWS environments by manipulating Identity and Access Management (IAM) users.

Cloud environments, characterized by their dynamic and ephemeral nature, present unique challenges for security professionals. While infrastructure may scale and change rapidly, adversaries are adept at establishing long-term persistence by embedding themselves deep within cloud configurations. Rapid7's recent report, "Investigating Persistence Mechanisms in AWS," highlights how attackers exploit AWS's Identity and Access Management (IAM) system to create invisible footholds that can survive incident containment efforts.
The primary technique detailed involves the creation and manipulation of IAM users. Attackers leverage the iam:CreateUser API call to establish new user accounts, often creating separate users for each collaborator to facilitate independent activities. While the creation of a user is a foundational step, it is insufficient on its own for persistent access due to the lack of credentials and permissions. This initial action is typically followed by several critical steps to solidify their presence.
To gain authenticated access, threat actors utilize iam:CreateAccessKey to generate long-term credentials, or iam:CreateConsoleProfile to enable console-based authentication. These actions are crucial for enabling future logins and potential lateral movement within the compromised environment. The report emphasizes that these credential-creation events are often simple and directly linked to the newly created user, making them detectable with careful log analysis.
Beyond credential provisioning, attackers focus on assigning permissions to the newly created IAM users to grant them the necessary privileges to interact with AWS resources. This is achieved through API calls such as iam:AttachUserPolicy to apply managed policies, iam:PutUserPolicy to embed custom inline policies, or iam:AddUserToGroup to assign users to existing groups with predefined permissions. These actions effectively equip the compromised user with the capabilities needed to achieve their objectives within the AWS environment.
Rapid7 provides specific detection logic and Log Event Query Language (LEQL) queries to aid security teams in hunting down these persistence mechanisms. By analyzing CloudTrail logs, organizations can identify suspicious iam:CreateUser actions and subsequent credential or permission modifications. Queries are designed to filter out routine administrative activities, focusing on the specific events that indicate malicious intent, such as the creation of unauthorized users and the assignment of excessive privileges.
The investigation extends to examining the source of these malicious actions. By identifying the originating IAM user or role that initiated the creation of the malicious user, security teams can uncover the full scope of the compromise and potentially identify other compromised accounts involved in the attack. This holistic approach is essential for understanding the attacker's methodology and the extent of their access.
Remediation steps recommended by Rapid7 include a thorough review of all actions performed by both the compromised and the originating users, examination of authentication patterns for anomalies, and the immediate application of deny-all policies to any suspected compromised entities. Rotating credentials, removing unauthorized IAM users, and thoroughly investigating any accessed resources are critical for fully reclaiming the AWS environment and preventing future breaches. The report underscores that effective cloud security requires continuous vigilance and the ability to detect and respond to sophisticated persistence techniques.