Threat actors can take advantage of Amazon Web Services Security Token Service (AWS STS) as a way to infiltrate cloud accounts and conduct follow-on attacks.
The service enables threat actors to impersonate user identities and roles in cloud environments, Red Canary researchers Thomas Gardner and Cody Betsworth said in a Tuesday analysis.
AWS STS is a web service that enables users to request temporary, limited-privilege credentials for users to access AWS resources without needing to create an AWS identity. These STS tokens can be valid anywhere from 15 minutes to 36 hours.
Threat actors can steal long-term IAM tokens through a variety of methods like malware infections, publicly exposed credentials, and phishing emails, subsequently using them to determine roles and privileges associated with those tokens via API calls.
“Depending on the token’s permission level, adversaries may also be able to use it to create additional IAM users with long-term AKIA tokens to ensure persistence in the event that their initial AKIA token and all of the ASIA short term tokens it generated are discovered and revoked,” the researcher said.
In the next stage, an MFA-authenticated STS token is used to create multiple new short-term tokens, followed by conducting post-exploitation actions such as data exfiltration.
To mitigate such AWS token abuse, it’s recommended to log CloudTrail event data, detect role-chaining events and MFA abuse, and rotate long-term IAM user access keys.
“AWS STS is a critical security control for limiting the use of static credentials and the duration of access for users across their cloud infrastructure,” the researchers said.
“However, under certain IAM configurations that are common across many organizations, adversaries can also create and abuse these STS tokens to access cloud resources and perform malicious actions.”