# Generating Temporary AWS Credentials from IAM User ## Overview This is an interesting access vector that [threat actors](https://redcanary.com/blog/threat-detection/aws-sts/?utm_source=chatgpt.com) are taking to avoid detection and maintain persistence. By generating temporary credentials (this can be done multiple times to have backups) threat actors can maintain persistence in a target's AWS account. * The temporary credentials **remain active** even if the original compromised IAM User has had their access keys deactivated / deleted * The temporary credentials have whatever permissions the compromised IAM User has at the current time so adding or removing permissions affects the temporary credentials' permissions * These options **do not work** with IAM Roles *** ### sts:GetFederationToken {% hint style="warning" %} The user **must have permission** to execute `sts:GetFederationToken` {% endhint %} {% hint style="success" %} This can throw off defenders because you can name the new identity whatever you want! {% endhint %} The following command allows you to generate temporary (15 min - 36 hours) credentials from an IAM User. * You can specify any name you want — it doesn't need to be a real user * You can specify any policy you want (up to 10 managed and/or inline policies) but **you only have the permissions the user running this command has** even if you pass it an administrator policy {% code overflow="wrap" %} ```bash aws sts get-federation-token --name sally --policy-arns arn=arn:aws:iam::aws:policy/AdministratorAccess --duration-seconds 129600 { "Credentials": { "AccessKeyId": "ASIA[REDACTED]", "SecretAccessKey": "pZlpr[REDACTED]", "SessionToken": "IQoJb3J[REDACTED]", "Expiration": "2025-11-11T08:56:15+00:00" }, "FederatedUser": { "FederatedUserId": "111111111111:sally", "Arn": "arn:aws:sts::111111111111:federated-user/sally" }, "PackedPolicySize": 7 } ``` {% endcode %} * The credentials can be configured with `aws --profile sally configure` {% code overflow="wrap" %} ```bash aws --profile sally sts get-caller-identity { "UserId": "111111111111:sally", "Account": "111111111111", "Arn": "arn:aws:sts::111111111111:federated-user/sally" } ``` {% endcode %} *** ### sts:GetSessionToken {% hint style="warning" %} The user needs no permissions to execute this command {% endhint %} {% hint style="danger" %} This is less stealthy because you can't change the session name {% endhint %} The following command allows you to generate temporary (15 min - 36 hours) credentials from an IAM User. {% code overflow="wrap" %} ```bash aws --profile tyler sts get-session-token --duration-seconds 129600 { "Credentials": { "AccessKeyId": "ASIA[REDACTED]", "SecretAccessKey": "PTBAG[REDACTED]", "SessionToken": "IQoJb3Jp[REDACTED]", "Expiration": "2025-11-10T08:47:10+00:00" } } ``` {% endcode %} * The credentials can be configured with `aws --profile tyler-backdoor configure` {% code overflow="wrap" %} ```bash aws --profile tyler-backdoor sts get-caller-identity { "UserId": "AIDA[REDACTED]", "Account": "111111111111", "Arn": "arn:aws:iam::111111111111:user/tyler" } ``` {% endcode %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://www.techwithtyler.dev/cloud-security/aws/aws-offensive-security/aws-persistence/generating-temporary-aws-credentials-from-iam-user.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.