A critical persistence technique in AWS Identity and Access Management (IAM) stemming from its eventual consistency model, allowing attackers to retain access even after defenders delete compromised access keys.
AWS IAM, like many distributed systems, employs eventual consistency to scale across regions and replicas. Updates to resources such as access keys or policies propagate with a predictable delay of approximately 3-4 seconds, as confirmed through OFFENSAI’s testing across regions like us-east-1 and eu-central-1.
During this window, deleted keys remain valid for API calls, enabling attackers to list keys receiving an empty array or generate new ones before invalidation completes.
Security firm OFFENSAI has uncovered that in a simulated attack, a defender executes aws iam delete-access-key –access-key-id AKIA… –user-name bob, while the attacker rapidly follows with aws iam create-access-key –user-name bob.
CloudTrail logs accurately record both the deletion and subsequent actions, yet the consistency lag permits persistence. This extends beyond keys to policy attachments, role deletions, and login profiles, amplifying risks in incident response.
Source: Cybersecurity News