Back to Intelligence

AWS Persistence Mechanisms: Detection and Hunting Guide for IAM and Lambda Backdoors

SA
Security Arsenal Team
July 15, 2026
6 min read

As we navigate the complexities of cloud security in 2026, a dangerous misconception persists among many organizations: that the ephemeral nature of cloud infrastructure inherently limits an attacker's dwell time. The reality is far more alarming. While your EC2 instances and containers may scale up and down in seconds, adversaries are embedding themselves deep into the control plane—specifically within IAM policies, Lambda functions, and federated identity sessions. This creates "invisible footholds" that survive infrastructure redeployments and standard incident response procedures.

Based on the latest intelligence from Rapid7 regarding persistence mechanisms in AWS, it is clear that traditional perimeter defenses are insufficient. If you cannot visualize how an attacker has rooted themselves in your identity and access management layers, you cannot contain the breach. This guide provides the technical detection logic, investigation workflows, and actionable remediation steps required to hunt down these hidden persistence mechanisms and reclaim your AWS environment.

Technical Analysis

The Persistence Vector

In AWS, persistence is rarely about maintaining a shell on a single server; it is about maintaining access to the environment. Attackers target three primary areas to achieve this:

  1. Identity and Access Management (IAM): By creating new users with administrative privileges or modifying existing trust policies (AssumeRole), adversaries ensure they can regain access even if their initial entry point (e.g., a compromised API key) is rotated.
  2. Lambda Functions: Attackers inject malicious code into Lambda functions to establish backdoors. This is particularly insidious because Lambda is serverless; the code executes only when triggered, making it difficult to detect via traditional network monitoring.
  3. Federated Sessions: Long-lived sessions via identity providers (IdPs) allow attackers to bypass MFA prompts and access the console directly, blending in with legitimate SSO traffic.

Attack Chain

  • Initial Access: Compromise of credentials, vulnerable workload, or misconfigured S3 bucket.
  • Privilege Escalation: Exploitation of iam:PassRole or creation of new policies.
  • Persistence: Creation of backdoor IAM users, modification of Lambda function code, or updating federation trust policies.
  • Defense Evasion: Disabling or deleting CloudTrail logs to obscure the activity.

Exploitation Status

These techniques are not theoretical. They are actively observed in intrusion sets involving ransomware operations and supply-chain compromises where the initial foothold is leveraged to establish long-term surveillance or data exfiltration channels.

Detection & Response

To effectively hunt these threats, we must pivot from simple signature matching to behavioral anomaly detection within CloudTrail logs. The following rules and queries are designed to catch the high-fidelity actions associated with establishing persistence.

SIGMA Rules

Use these rules to detect suspicious IAM modifications and Lambda code updates indicative of backdoor installation.

YAML
---
title: AWS IAM Backdoor User Creation
id: a1b2c3d4-5678-90ab-cdef-1234567890ab
status: experimental
description: Detects the creation of a new IAM user followed immediately by the attachment of an administrative policy, a common persistence mechanism.
references:
  - https://www.rapid7.com/blog/post/dr-investigating-aws-persistence-mechanisms
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.persistence
  - attack.t1098
logsource:
  product: aws
  service: cloudtrail
detection:
  selection_create:
    eventName: CreateUser
    eventSource: iam.amazonaws.com
  selection_attach:
    eventName: AttachUserPolicy
    eventSource: iam.amazonaws.com
    requestParameters.policyArn|contains: 'AdministratorAccess'
  timeframe: 5m
  condition: selection_create | near selection_attach
falsepositives:
  - Legitimate administrative automation (Terraform/CloudFormation)
level: high
---
title: AWS Lambda Function Code Modification
id: b2c3d4e5-6789-01bc-def2-345678901234
status: experimental
description: Detects updates to Lambda function code that do not originate from known CI/CD pipelines or specific IP ranges, indicating potential backdoor installation.
references:
  - https://www.rapid7.com/blog/post/dr-investigating-aws-persistence-mechanisms
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.persistence
  - attack.t1505.003
logsource:
  product: aws
  service: cloudtrail
detection:
  selection:
    eventName: UpdateFunctionCode
    eventSource: lambda.amazonaws.com
  filter_known_ips:
    sourceIPAddress|startswith:
      - '10.0.0.0'
      - '192.168.0.0'
  condition: selection and not filter_known_ips
falsepositives:
  - Legitimate developer deployments from unlisted office IPs
level: medium

KQL (Microsoft Sentinel)

This KQL query hunts for IAM users created in the last 24 hours and checks if they have been granted administrative privileges or generated access keys immediately after creation.

KQL — Microsoft Sentinel / Defender
AWSCloudTrail
| where TimeGenerated > ago(24h)
| where EventName == "CreateUser" and EventSource == "iam.amazonaws.com"
| project UserCreated = RequestParameters.userName, SourceIP, UserIdentityPrincipalId, TimeCreated = TimeGenerated
| join kind=inner (
    AWSCloudTrail
    | where EventName in ("AttachUserPolicy", "PutUserPolicy", "CreateAccessKey") and EventSource == "iam.amazonaws.com"
    | project EventName, TargetUser = tostring(RequestParameters.userName), PolicyArn = RequestParameters.policyArn, TimeAction = TimeGenerated
) on $left.UserCreated == $right.TargetUser
| where TimeAction between (TimeCreated .. (TimeCreated + 10m))
| project TimeCreated, UserCreated, EventName, PolicyArn, SourceIP, UserIdentityPrincipalId
| sort by TimeCreated desc

Velociraptor VQL

This VQL artifact hunts for traces of AWS CLI activity on compromised Linux endpoints, specifically looking for command history that suggests persistence mechanisms (e.g., IAM user creation or Lambda updates) and checking for credential files.

VQL — Velociraptor
-- Hunt for AWS CLI history and credential files on Linux endpoints
SELECT
    FullPath,
    Mtime,
    Size,
    Sys.ReadFile(filename=FullPath)
FROM glob(globs=["/home/*/.aws/credentials", "/home/*/.bash_history", "/root/.aws/credentials", "/root/.bash_history"])
WHERE
    -- Check if bash history contains suspicious AWS commands
    FullPath =~ "bash_history" AND
    Sys.ReadFile(filename=FullPath) =~ "(aws iam create-user|aws lambda update-function-code|aws iam attach-user-policy)"
    OR
    -- Check for existence of credential files (which shouldn't be on workstations usually)
    FullPath =~ "credentials"

Remediation Script (Bash)

This script assists IR teams in identifying potentially backdoored IAM users and Lambda functions. Note: Requires aws CLI configured with appropriate read-only permissions.

Bash / Shell
#!/bin/bash

# AWS Persistence Remediation Audit Script
# Author: Security Arsenal
# Date: 2026-04-06

echo "[+] Scanning for suspicious IAM users created in the last 30 days..."

# List users and grep for creation date in last 30 days
aws iam list-users --query 'Users[?CreateDate>=`2026-03-06`].[UserName,CreateDate]' --output table

echo "[+] Checking for inline policies attached to users..."

# Get all users and check for inline policies (often used for subtle backdoors)
for user in $(aws iam list-users --query 'Users[].UserName' --output text); do
  policies=$(aws iam list-user-policies --user-name "$user" --query 'PolicyNames[]' --output text)
  if [ -n "$policies" ]; then
    echo "[!] User '$user' has inline policies: $policies"
    # Optional: Dump the policy document for review
    aws iam get-user-policy --user-name "$user" --policy-name "$policies" --output 
  fi
done

echo "[+] Auditing Lambda functions for recent code updates..."

# List functions and check last modified
aws lambda list-functions --query 'Functions[?LastModified>=`2026-03-06`].[FunctionName,LastModified,Role]' --output table

echo "[+] Audit Complete. Review the output above for unauthorized changes."

Remediation Steps

Upon detection of these persistence mechanisms, immediate action is required:

  1. Invalidate Credentials: Immediately rotate and delete any access keys associated with compromised IAM users. Revoke active sessions using the aws iam delete-login-profile or by invalidating specific federation tokens.
  2. Remove Malicious Identities: Delete the backdoor IAM users created by the attacker. Ensure you review the AttachedManagedPolicies and UserPolicies before deletion to understand the scope of access.
  3. Sanitize Lambda Functions: Revert Lambda functions to their last known good state. Review all layers and environment variables for malicious data. Remove triggers that may be activated by the attacker (e.g., specific CloudWatch events or S3 bucket notifications).
  4. Audit Trust Policies: Review all IAM Roles for modified AssumeRolePolicyDocument. Look for unknown external AWS Account IDs or federated principals that were added recently.
  5. Enable CloudTrail Logging: Ensure CloudTrail is enabled across all regions and is logging to a dedicated, locked-down S3 bucket with Object Lock enabled. Enable Lambda data events if not already active.

Related Resources

Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub

mdrthreat-huntingendpoint-detectionsecurity-monitoringawspersistenceiamlambda

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.