AWS IAM Operations via Compromised CloudShell
Compromised AWS console sessions can lead to attackers performing sensitive IAM operations via CloudShell to establish persistence or escalate privileges.
AWS CloudShell is a browser-based shell environment that allows command-line access to AWS resources directly from the AWS Management Console. While it offers convenience for administrators, it also presents a risk if an attacker gains access to a compromised console session. An attacker can leverage CloudShell to perform sensitive operations, such as creating IAM users, access keys, and roles, or attaching policies, without the need to install any tools or utilize programmatic credentials. This activity can be indicative of post-compromise credential harvesting or privilege escalation activity within the AWS environment. Defenders should monitor for unusual IAM activity originating from CloudShell sessions, particularly those involving the creation or modification of identities and permissions.
Attack Chain
- An attacker gains unauthorized access to an AWS Management Console session, potentially through credential theft or session hijacking.
- The attacker launches AWS CloudShell from within the compromised console session. This provides a command-line interface to the AWS environment.
- Using the CloudShell environment, the attacker attempts to create a new IAM user with elevated privileges using the
aws iam create-usercommand. - The attacker generates a new access key for the newly created IAM user or an existing compromised user with the
aws iam create-access-keycommand. - The attacker creates a new IAM role with overly permissive policies attached using the
aws iam create-rolecommand. - The attacker attaches policies to existing IAM users or roles using the
aws iam attach-user-policyoraws iam attach-role-policycommands to escalate privileges. - The attacker leverages the newly created or modified IAM identities and access keys to persist in the AWS environment and perform lateral movement.
- The final objective is to maintain persistent access to the AWS environment, escalate privileges, and potentially exfiltrate sensitive data or cause disruption.
Impact
Successful exploitation can lead to unauthorized access to sensitive AWS resources, data exfiltration, and service disruption. Attackers may create persistent backdoors within the AWS environment through the creation of rogue IAM users or roles. The number of victims depends on the scope of the compromised AWS account. Industries that heavily rely on AWS infrastructure are particularly vulnerable.
Recommendation
- Deploy the Sigma rule
AWS IAM Operations via CloudShellto your SIEM and tune for your environment to detect suspicious IAM activity originating from CloudShell sessions. - Implement session duration limits for AWS Management Console sessions to reduce the window of opportunity for console session abuse.
- Review and restrict CloudShell access via SCPs or IAM policies for sensitive accounts.
- Investigate any
ConsoleLoginevents followed by IAM actions from CloudShell as described in the rule's description.
Detection coverage 2
AWS IAM Operations via CloudShell
mediumDetects sensitive AWS IAM operations performed via AWS CloudShell based on the user agent string, indicating potential post-compromise activity.
AWS Role Policy Attachment via CloudShell
mediumDetects AWS IAM role policy attachments performed via AWS CloudShell, indicating potential privilege escalation.
Detection queries are available on the platform. Get full rules →