Securing Cloud Environments: Understanding and Mitigating AWS Token Exploitation

Threat actors can exploit the Amazon Web Services Security Token Service (AWS STS) to infiltrate cloud accounts and carry out subsequent attacks. This service allows them to impersonate user identities and roles within cloud environments, enabling unauthorized access and malicious actions, as highlighted by Red Canary researchers Thomas Gardner and Cody Betsworth in a recent analysis.

AWS STS functions as a web service enabling users to request temporary, limited-privilege credentials for accessing AWS resources without the need for creating AWS identities. These temporary STS tokens have varying lifespans, ranging from 15 minutes to 36 hours.

The exploitation of AWS STS involves stealing long-term IAM tokens through methods like malware infections, exposed credentials, or phishing attacks. With these tokens, threat actors can ascertain associated roles and privileges via API calls. Depending on the permissions granted by the token, adversaries can even create additional IAM users with long-term access, ensuring persistence even if initial tokens are revoked.

Subsequently, an MFA-authenticated STS token can be utilized to generate multiple short-term tokens, facilitating post-exploitation actions such as data exfiltration.

To mitigate the risk of AWS token abuse, it is recommended to monitor CloudTrail event data, detect MFA abuse and role-chaining incidents, and regularly rotate long-term IAM user access keys. While AWS STS serves as a crucial security control for limiting the use of static credentials and access duration, certain IAM configurations can be exploited by adversaries to access cloud resources and execute malicious activities.

Furthermore, recent findings by SentinelLabs reveal significant security vulnerabilities affecting AWS and other cloud services due to flaws in driver software. These vulnerabilities could potentially allow attackers to escalate their privileges, disable security solutions, tamper with system components, or execute malicious actions unhindered. Both end-users and cloud service providers are susceptible to these vulnerabilities, which stem from shared code utilized in server and client-side applications.

SentinelLabs has proactively disclosed these vulnerabilities to affected providers and assigned CVE identifiers for tracking. While there’s no evidence of exploitation by malicious actors so far, users of affected services are advised to promptly check for updates and apply patches as necessary, as some vulnerabilities may require manual intervention for mitigation.

Scroll to Top