Bulk IAM Credential Injection

Required Permissions

Description

This technique uses IAM write permissions to systematically backdoor every existing identity in an AWS account. Rather than targeting a single user or role, the attacker iterates through all principals to maximize persistence.

The attack involves three parallel operations:

- **Bulk user backdooring** — Enumerate all IAM users with iam:ListUsers, then call iam:CreateAccessKey for each user. Each user can have up to two access keys, so even if one is detected and removed, the second may survive. The attacker stores all generated credentials externally. - **Bulk role backdooring** — Enumerate all IAM roles with iam:ListRoles, then modify each role's trust policy with iam:UpdateAssumeRolePolicy to add an attacker-controlled principal (from an external AWS account). This grants the attacker the ability to assume any role in the account at will. - **Bulk security group backdooring** — Enumerate all security groups and add ingress rules allowing attacker-controlled IP ranges, opening network access to EC2 instances, RDS databases, and other VPC resources.

The scale of this attack makes remediation extremely painful. Every user must have access keys rotated, every role trust policy must be audited and cleaned, and every security group must be reviewed. Missing even one backdoor leaves the attacker with continued access.

Impact

Persistent access to every identity and network path in the account. Remediation requires auditing and rotating credentials for all principals — missing one leaves the door open.

Detection

Monitor for bulk CreateAccessKey calls across multiple users. Alert on UpdateAssumeRolePolicy calls that add external account principals. Detect bulk AuthorizeSecurityGroupIngress calls.

Mitigation

Use SCPs to restrict iam:CreateAccessKey and iam:UpdateAssumeRolePolicy to specific admin roles. Enable AWS Config rules for access key rotation and trust policy compliance. Regularly audit all access keys and role trust policies.

Related Techniques