Alert: Threat Actors Can Leverage AWS STS to Infiltrate Cloud Accounts

Alert: Threat Actors Can Leverage AWS STS to Infiltrate Cloud Accounts

December 6, 2023 at 09:12AM

Amazon Web Services Security Token Service (AWS STS) can be exploited by attackers to gain cloud access and impersonate user roles, according to Red Canary researchers. They recommend monitoring CloudTrail events and rotating IAM keys to mitigate token abuse in cloud security management.

Meeting Takeaways:

– AWS STS can be exploited by threat actors to infiltrate cloud accounts and carry out attacks.
– It allows impersonation of user identities and roles, posing a significant threat to cloud security.
– The implicated service, AWS STS, provides temporary credentials to access AWS resources, valid for 15 minutes to 36 hours.
– Threat actors may obtain long-term IAM tokens via malware, exposed credentials, or phishing, and then explore roles and privileges associated with these tokens.
– Attackers could potentially create new IAM users with long-term tokens for the purpose of maintaining access if the original tokens are compromised and revoked.
– The subsequent phase of an attack may involve MFA-authenticated STS tokens to generate multiple short-term tokens for further malicious activities such as data theft.
– Recommended defensive measures include logging CloudTrail events, detecting role-chaining and MFA abuse, and rotating IAM user access keys to prevent token abuse.
– AWS STS is critical for limiting static credentials and access duration, but certain IAM configurations, common in many organizations, can allow adversaries to misuse STS tokens for accessing and attacking cloud resources.

Follow-up Actions:
– Review and potentially adjust IAM configurations to prevent misuse of AWS STS tokens.
– Implement recommended security measures such as CloudTrail event logging, detecting role-chaining events, monitoring for MFA abuse, and regularly rotating IAM user access keys.
– Stay informed on cloud security issues by following relevant social media feeds and industry analysis.

Full Article