Security researchers have identified a vulnerability in Amazon Web Services Security Token Service (AWS STS) that could allow threat actors to infiltrate cloud accounts and execute subsequent attacks. AWS STS, which provides temporary, limited-privilege credentials for accessing AWS resources, can be exploited to impersonate user identities and roles within cloud environments.
The tokens issued by AWS STS can remain valid for periods ranging from 15 minutes to 36 hours. Attackers can obtain long-term IAM tokens through various methods, including malware, exposed credentials, or phishing, and then use these tokens to ascertain associated roles and privileges via API calls.
Adversaries with access to tokens of sufficient permission levels may create additional IAM users with long-term AKIA tokens, ensuring their persistence within the system even if the original tokens are revoked. Furthermore, an MFA-authenticated STS token can be used to generate multiple new short-term tokens, enabling actions like data exfiltration.
To counteract such threats, experts recommend logging CloudTrail event data, monitoring for role-chaining and MFA abuse, and regularly rotating long-term IAM user access keys. While AWS STS serves as an essential security measure to limit static credential usage and access duration, certain IAM configurations prevalent across organizations can be manipulated by adversaries to gain unauthorized access to cloud resources and carry out malicious activities.
