← Back to Attack Library

Lambda Event-Driven Persistence

critical

Persistence

An attacker deploys Lambda functions triggered by CloudWatch Events to automatically backdoor newly created IAM users, roles, or security groups.

Required Permissions

lambda:CreateFunctionlambda:AddPermissionevents:PutRuleevents:PutTargetsiam:PassRole

Description

This technique uses AWS Lambda functions combined with CloudWatch Event Rules (EventBridge) to establish persistent, self-healing backdoors that automatically compromise new resources as they are created.

Several variants exist:

- **User backdoor** — A Lambda function triggers on CreateUser CloudTrail events and automatically creates access keys for every new IAM user, exfiltrating the credentials to an attacker-controlled endpoint. - **Role backdoor** — A Lambda function triggers on CreateRole events and modifies the new role's trust policy to allow assumption by an attacker-controlled principal. - **Security group backdoor** — A Lambda function triggers on CreateSecurityGroup events and adds ingress rules allowing attacker access to new security groups. - **User resurrection** — A "rabbit" Lambda function triggers on DeleteUser events and immediately recreates the deleted user with new access keys, making it impossible to remove the attacker's access through normal IAM user deletion.

These backdoors are particularly insidious because they are event-driven and serverless — there is no running instance to discover, and the functions only execute briefly when triggered. They persist silently until the CloudWatch Event Rule and Lambda function are discovered and removed.

The Lambda functions can operate within AWS Free Tier limits (1M requests/month, 400,000 GB-seconds), making them cost-invisible.

Impact

Persistent, automatic compromise of all newly created IAM principals and network resources. Extremely difficult to fully eradicate without identifying and removing all event rules and Lambda functions.

Detection

Audit all Lambda functions and their triggers. Monitor for Lambda functions with IAM modification permissions. Alert on CloudWatch Event Rules targeting IAM or security group CreateUser/CreateRole/CreateSecurityGroup events.

Mitigation

Use SCPs to restrict Lambda function creation to approved roles. Monitor and audit all EventBridge rules. Use AWS Config to track Lambda function configurations. Implement least privilege for Lambda execution roles.

Related Techniques

CloudTrail Logging Disruption

An attacker disables, deletes, or manipulates CloudTrail trails to blind defenders and hide subsequent attack activity.

Create IAM Policy Version

An attacker with iam:CreatePolicyVersion can create a new version of an existing managed policy with admin permissions and set it as the default.

Cross-Account Role Abuse

An attacker exploits overly permissive cross-account trust policies to move between AWS accounts.