AWS STS GetFederationToken Abuse for Persistence and Defense Evasion
Adversaries may exploit the AWS Security Token Service (STS) GetFederationToken API call to obtain temporary security credentials, enabling persistence and bypassing IAM API call limitations by gaining console access, with these temporary tokens remaining active for up to 36 hours, even if the initial compromised identity is deleted, and used to create console sign-in tokens.
Adversaries are known to abuse the AWS Security Token Service (STS) GetFederationToken API call as a method for defense evasion and persistence in compromised AWS environments. This technique allows an attacker, typically after compromising an IAM user or role, to request temporary security credentials. These temporary tokens can grant access to AWS resources and remain valid for up to 36 hours, critically maintaining access even if the original compromised identity's credentials are revoked or deleted. Furthermore, these federated tokens can be used to generate console sign-in tokens, providing attackers with interactive console access and potentially bypassing IAM API call limitations. The detection focuses on the first occurrence of such a request by a user, indicating unusual activity that could signify an attacker establishing a persistent foothold or evading existing security controls.
Attack Chain
- Initial Access: Adversary compromises an AWS account, typically by obtaining legitimate IAM user credentials (e.g., access key and secret key) through phishing, exposed credentials, or other means.
- Discovery/Credential Access: Using the compromised credentials, the attacker enumerates IAM permissions and identifies the ability to call
sts:GetFederationToken. - Defense Evasion & Persistence: The attacker calls the
GetFederationTokenAPI with the compromised credentials to obtain temporary security credentials (access key, secret key, session token) for a federated user. This action establishes a new, temporary identity. - Credential Manipulation: The attacker stores these temporary credentials, which provide a valid session to AWS, independent of the original compromised credentials.
- Persistence: Even if the original compromised IAM user's credentials are deleted or revoked, the temporary federated tokens remain active for their specified duration (up to 36 hours), granting the attacker continued access.
- Privilege Escalation/Execution: The attacker uses the temporary federated credentials to access AWS resources, perform actions, or generate a console sign-in URL to gain interactive console access, potentially bypassing API limitations and performing sensitive IAM operations.
- Impact: Continued unauthorized access, data exfiltration, resource modification, or deployment of additional malicious infrastructure.
Impact
A successful GetFederationToken abuse leads to sustained unauthorized access within the AWS environment. This persistence mechanism allows attackers to maintain control over an AWS account even after initial compromise vectors are remediated, significantly prolonging incident response efforts. Attackers can exfiltrate sensitive data, disrupt critical services, or deploy additional infrastructure using the federated credentials. The ability to generate console sign-in tokens further expands the attacker's operational capabilities, allowing them to interact with services through the AWS Management Console as a legitimate user, making detection and containment more challenging.
Recommendation
- Deploy the Sigma rule
AWS First Occurrence of STS GetFederationToken Request by Userin this brief to your SIEM and tune for your environment, paying close attention todata_stream.dataset: "aws.cloudtrail"logs. - Review the
user.name,aws.cloudtrail.user_identity.arn, andsource.ipfields in CloudTrail logs for anyGetFederationTokenrequests to identify unexpected user accounts or geographical locations. - Investigate the
aws.cloudtrail.response_elementsfield in logs for newly createdfederatedUser.arnvalues and monitor their subsequent activities. - Implement strong IAM policies that restrict the ability to call
sts:GetFederationTokento only necessary roles or users to minimize the attack surface. - If compromise is verified, attach the AWS-managed policy
AWSDenyAllto the compromised IAM principal to immediately revoke all associated temporary credentials.
Detection coverage 1
AWS First Occurrence of STS GetFederationToken Request by User
highDetects the first occurrence of an AWS Security Token Service (STS) GetFederationToken request made by a user. Adversaries may use this API to obtain temporary credentials for persistence and to bypass IAM API call limitations by gaining console access.
Detection queries are available on the platform. Get full rules →