Threat Actors Can Use AWS STS to Infiltrate Cloud Accounts

December 06, 2023NewsroomAccess Management / Cloud Security

Cloud Accounts

Threat actors can exploit the Amazon Web Services Security Token Service (AWS STS) as a means to infiltrate cloud accounts and conduct follow-on attacks.

The service allows threat actors to impersonate user identities and roles in cloud environments, Red Canary researchers Thomas Gardner and Cody Betsworth SAYS in an analysis on Tuesday.

AWS STS is a web service which enables users to request temporary, limited-privilege credentials for users to access AWS resources without having to create an AWS identity. These STS tokens will be valid anywhere from 15 minutes to 36 hours.

Threat actors can steal long-lived IAM tokens through various methods such as malware infection, publicly exposed credentials, and phishing emails, after which they are used to identify roles. and privilege associated with tokens through API calls.


“Depending on the permission level of the token, adversaries can also use it to create additional IAM users with long-term AKIA tokens to ensure continuity once their initial AKIA token and the all the short-term tokens of ASIA that it has created will be discovered. and withdrawn,” said the researcher.

In the next stage, an MFA-authenticated STS token is used to create several new short-term tokens, followed by performing post-exploitation actions such as data exfiltration.

To mitigate such AWS token abuse, it is recommended to log CloudTrail event data, detect role chaining events and MFA abuse, and rotate long-term which are the IAM user’s access keys.

“AWS STS is a critical security control for limiting the use of static credentials and the duration of users’ access to their cloud infrastructure,” the researchers said.

“However, under certain IAM configurations common to many organizations, adversaries can also create and abuse these STS tokens to access cloud resources and create harmful actions.”

Did you find this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Leave a comment