CreateDevEndpoint
AWS
CreateDevEndpoint
Event
Creates a Glue development endpoint providing SSH access into the Glue VPC with the Glue service role.
Security Context
- Glue dev endpoints grant SSH access with the Glue service role’s credentials, which often have broad data access permissions across S3, RDS, and other data stores.
- Adversaries create dev endpoints to escalate privileges by leveraging the Glue service role, which may have access to sensitive data resources that the original compromised identity cannot reach directly.
Log Source
CloudTrail
Sample Event
Adversarial. Draco — controlling a session with glue:CreateDevEndpoint and iam:PassRole on DemiguiseInferenceRole — provisions a Glue dev endpoint and supplies his own SSH public key. Once the endpoint is READY, he SSHes in and runs commands inside the Glue VPC under the DemiguiseInferenceRole identity (which has read access to DEMIGUISE model artifacts in S3, KMS for the model key, and the inference-cache DynamoDB table). The endpoint provides a stable foothold inside the customer VPC.
{ "eventVersion": "1.09", "userIdentity": { "type": "IAMUser", "principalId": "AIDADRAC0MALF0YBADGY", "arn": "arn:aws:iam::555123456789:user/draco", "accountId": "555123456789", "accessKeyId": "AKIADRAC0MALF0YEXAMP5", "userName": "draco", "sessionContext": { "attributes": { "creationDate": "2026-04-15T18:51:02Z", "mfaAuthenticated": "false" } } }, "eventTime": "2026-04-15T22:18:42Z", "eventSource": "glue.amazonaws.com", "eventName": "CreateDevEndpoint", "awsRegion": "us-east-1", "sourceIPAddress": "203.0.113.66", "userAgent": "aws-cli/1.18.147 Python/3.7.10 Linux/5.4.0-1045-aws botocore/1.18.6", "requestParameters": { "endpointName": "demiguise-debug-666", "roleArn": "arn:aws:iam::555123456789:role/DemiguiseInferenceRole", "publicKey": "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQEXAMPLEPUBLICKEYDR4C0666EXAMPLEEXAMPLEEXAMPLEEXAMPLEEXAMPLEEXAMPLEEXAMPLEEXAMPLEEXAMPLEEXAMPLEEXAMPLEEXAMPLEEXAMPLEEXAMPLEEXAMPLEEXAMPLEEXAMPLEEXAMPLEEXAMPLEEXAMPLEEXAMPLE draco-attacker-666", "numberOfNodes": 5, "glueVersion": "4.0", "arguments": { "--enable-glue-datacatalog": "" } }, "responseElements": { "endpointName": "demiguise-debug-666", "status": "PROVISIONING", "roleArn": "arn:aws:iam::555123456789:role/DemiguiseInferenceRole", "numberOfNodes": 5, "glueVersion": "4.0", "arguments": { "--enable-glue-datacatalog": "" }, "createdTimestamp": "Apr 15, 2026, 10:18:42 PM" }, "requestID": "90000000-0000-4000-8000-000010000100", "eventID": "90000000-0000-4000-8000-000010000101", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "555123456789", "eventCategory": "Management", "tlsDetails": { "tlsVersion": "TLSv1.3", "cipherSuite": "TLS_AES_128_GCM_SHA256", "clientProvidedHostHeader": "glue.us-east-1.amazonaws.com" }}MITRE ATT&CK Mapping
Tactics: Privilege Escalation
Techniques:
- T1098 — Account Manipulation — Adversaries may manipulate accounts to maintain and/or elevate access to victim systems. Account manipulation may consist of any action that preserves or modifies adversary access to a compromised account, such as modifying credentials or permission groups. These actions could also include accoun...