EC2 Instance Connect as a Backdoor: Silent Persistence in AWS
Speaker: Nathaniel Fernandes
Abstract
This talk explores a stealthy persistence technique abusing EC2 Instance Connect, discovered while analyzing how SSH key injection works in AWS EC2. By modifying the AuthorizedKeysCommand script used by the SSH daemon, persistent SSH access can be established without adding keys to authorized_keys and without generating CloudTrail logs. This creates a blind spot for traditional SOC monitoring and cloud security controls. The session breaks down the root cause of this trust failure, demonstrates the persistence mechanism, and discusses practical detection and hardening strategies for defenders.