AWS IAM Backdoor User / Access Key
Create a stealth IAM user (svc-monitor) with PowerUser / Admin attached for re-entry after credential rotations.
§ Where this technique fits
C-AWS-IAM-BACKDOOR is catalogued under the Persistence tactic of the offensive-security kill-chain. It appears in 3 approved dossiers in the registry, typically at step 7.3 on average.
§ Dossiers chaining this technique
- step 6 / 6
GitHub OIDC trust over-broad → AWS admin
An IAM role trusts GitHub Actions OIDC with a wildcard 'repo:*' subject. Any attacker GitHub repo can assume the role and run with its privileges.
- step 7 / 7
pull_request_target injection → secrets → cloud takeover
A GitHub Actions workflow runs on pull_request_target and checks out the PR's head SHA. The attacker's PR injects code that runs with the base repo's secrets, including a cloud deploy role.
- step 9 / 9
SSRF → IMDS → AssumeRole chain → Org admin
A web SSRF leaks the EC2 instance role; iam:PassRole + sts:AssumeRole hops across two member accounts land you with AdministratorAccess in the organisation's management account.