AWS Sensitive IAM Operations Performed via CloudShell
Attackers can leverage a compromised AWS console session to perform sensitive AWS IAM operations via AWS CloudShell, establishing persistence or escalating privileges, which can be detected by monitoring CloudTrail logs for specific user agent strings and high-risk IAM actions.
This threat brief details the detection of sensitive AWS Identity and Access Management (IAM) operations executed through AWS CloudShell. AWS CloudShell provides convenient, browser-based command-line access to AWS resources directly from the AWS Management Console, eliminating the need for local CLI installations or credential configurations. While useful for legitimate administrators, this capability becomes a significant risk if an AWS Management Console session is compromised. Attackers can exploit CloudShell access to perform high-risk actions - such as creating IAM users, access keys, roles, or attaching policies - without leaving forensic artifacts on their local systems or requiring programmatic credentials. These activities are indicative of post-compromise credential harvesting, privilege escalation, or persistence establishment. Detection relies on monitoring AWS CloudTrail logs for specific IAM actions combined with the CloudShell user agent string, which signals unauthorized modifications within the AWS environment.
Attack Chain
- Initial Access: An attacker gains unauthorized access to an AWS Management Console session, typically through stolen credentials, session hijacking, or successful phishing campaigns.
- CloudShell Launch: From the compromised AWS Management Console, the attacker navigates to and launches AWS CloudShell, leveraging its integrated command-line environment.
- IAM Command Execution: The attacker uses the CloudShell terminal to execute AWS IAM commands, aiming to create new identities or modify existing permissions.
- Credential Creation: The attacker creates new IAM users (e.g.,
CreateUser), generates new access keys for existing users (e.g.,CreateAccessKey), or creates new IAM roles (e.g.,CreateRole) to establish alternative access points. - Policy Attachment/Modification: The attacker attaches new or existing policies (e.g.,
AttachUserPolicy,PutUserPolicy,AttachRolePolicy,PutRolePolicy) to users or roles to grant them expanded or unrestricted permissions. - Persistence/Privilege Escalation: Through these IAM manipulations, the attacker establishes persistent access mechanisms or escalates privileges within the AWS environment, ensuring continued unauthorized access even if the initial console session is revoked.
- Resource Exploitation: With elevated privileges, the attacker proceeds to access, modify, exfiltrate sensitive data, or disrupt critical AWS resources and services.
Impact
Successful exploitation of compromised AWS Management Console sessions via CloudShell can lead to severe consequences. Attackers can establish persistent backdoor access, escalate privileges to gain control over critical AWS resources, and compromise data integrity and confidentiality. The creation of unauthorized users or access keys allows for ongoing unauthorized access, potentially leading to widespread data exfiltration, resource manipulation, service disruption, and significant financial loss due to unauthorized resource usage. These actions directly undermine the security posture of the AWS account, making it difficult to detect and evict the attacker without a thorough incident response.
Recommendation
- Deploy the Sigma rule provided in this brief to your SIEM to detect suspicious IAM operations originating from AWS CloudShell.
- Configure AWS CloudTrail logging to capture all management events for your AWS account, which is the log source for this detection.
- Review
aws.cloudtrail.user_identity.arn,source.ip, andsource.geofields in CloudTrail logs to identify the actor and verify the request origin for any CloudShell-initiated IAM changes. - Implement AWS Identity and Access Management (IAM) policies or Service Control Policies (SCPs) to restrict CloudShell access for sensitive accounts or to limit the types of IAM operations that can be performed via CloudShell.
- Establish a baseline of normal CloudShell usage patterns within your organization to reduce false positives by identifying and allowing legitimate administrative workflows.
- For any unauthorized activity, immediately terminate the compromised console session and revoke any created credentials.
Detection coverage 1
AWS Sensitive IAM Operations Performed via CloudShell
highDetects sensitive AWS IAM operations (creating users, access keys, roles, or attaching policies) when performed via AWS CloudShell, indicating potential post-compromise persistence or privilege escalation.
Detection queries are available on the platform. Get full rules →