This article explores how AWS EventBridge cross-account configurations can be exploited for infiltration, exfiltration, and persistent attacks.
•Cross-account EventBridge setups involve source/destination accounts, event rules, event targets, and IAM roles, enabling legitimate orchestration but also attack surfaces
•Two primary risk types exist: infiltration (injecting events into victim accounts to trigger Lambda or workflows) and exfiltration (forwarding sensitive data to external accounts in small chunks)
•Attack 1 (Persistent Beaconing): a compromised Lambda sends hourly disguised health-check events to an attacker-controlled account; EventBridge PutEvents calls are data-plane operations not logged by CloudTrail
•Attack 2 (Command and Control): bidirectional EventBridge channel sends base64-encoded commands to a compromised Lambda and receives results back, bypassing firewalls and VPC controls entirely
•Attack 3 (Reconnaissance): attacker creates a catch-all EventBridge rule u
