Skip to content
Threat Feed
medium advisory

AWS IAM Operations via Compromised CloudShell

Compromised AWS console sessions can lead to attackers performing sensitive IAM operations via CloudShell to establish persistence or escalate privileges.

AWS CloudShell is a browser-based shell environment that allows command-line access to AWS resources directly from the AWS Management Console. While it offers convenience for administrators, it also presents a risk if an attacker gains access to a compromised console session. An attacker can leverage CloudShell to perform sensitive operations, such as creating IAM users, access keys, and roles, or attaching policies, without the need to install any tools or utilize programmatic credentials. This activity can be indicative of post-compromise credential harvesting or privilege escalation activity within the AWS environment. Defenders should monitor for unusual IAM activity originating from CloudShell sessions, particularly those involving the creation or modification of identities and permissions.

Attack Chain

  1. An attacker gains unauthorized access to an AWS Management Console session, potentially through credential theft or session hijacking.
  2. The attacker launches AWS CloudShell from within the compromised console session. This provides a command-line interface to the AWS environment.
  3. Using the CloudShell environment, the attacker attempts to create a new IAM user with elevated privileges using the aws iam create-user command.
  4. The attacker generates a new access key for the newly created IAM user or an existing compromised user with the aws iam create-access-key command.
  5. The attacker creates a new IAM role with overly permissive policies attached using the aws iam create-role command.
  6. The attacker attaches policies to existing IAM users or roles using the aws iam attach-user-policy or aws iam attach-role-policy commands to escalate privileges.
  7. The attacker leverages the newly created or modified IAM identities and access keys to persist in the AWS environment and perform lateral movement.
  8. The final objective is to maintain persistent access to the AWS environment, escalate privileges, and potentially exfiltrate sensitive data or cause disruption.

Impact

Successful exploitation can lead to unauthorized access to sensitive AWS resources, data exfiltration, and service disruption. Attackers may create persistent backdoors within the AWS environment through the creation of rogue IAM users or roles. The number of victims depends on the scope of the compromised AWS account. Industries that heavily rely on AWS infrastructure are particularly vulnerable.

Recommendation

  • Deploy the Sigma rule AWS IAM Operations via CloudShell to your SIEM and tune for your environment to detect suspicious IAM activity originating from CloudShell sessions.
  • Implement session duration limits for AWS Management Console sessions to reduce the window of opportunity for console session abuse.
  • Review and restrict CloudShell access via SCPs or IAM policies for sensitive accounts.
  • Investigate any ConsoleLogin events followed by IAM actions from CloudShell as described in the rule's description.

Detection coverage 2

AWS IAM Operations via CloudShell

medium

Detects sensitive AWS IAM operations performed via AWS CloudShell based on the user agent string, indicating potential post-compromise activity.

sigma tactics: persistence, privilege_escalation techniques: T1098, T1136 sources: cloudtrail, aws

AWS Role Policy Attachment via CloudShell

medium

Detects AWS IAM role policy attachments performed via AWS CloudShell, indicating potential privilege escalation.

sigma tactics: persistence, privilege_escalation techniques: T1098 sources: cloudtrail, aws

Detection queries are available on the platform. Get full rules →