R
R
Researchs
Search
K
Comment on page

Found some Access Keys?

This post details on why its a bad idea to revoke access keys belonging to IAM User in case they have been leaked to an attacker and how red teams can use this less known technique to increase the blast radius and use access keys irrespective of it made being inactive.

STS Tokens

Most of time you would have heard about getting STS Tokens belonging to a IAM Role but its quite possible to obtain STS Tokens belonging to IAM User and you dont need any permission attached to do so unlike sts:AssumeRole for Role.
aws sts get-caller-identity
Normal get-caller-identity call
Now, let's fetch those STS tokens for this key. Note that the key is still active.
aws sts get-session-token --duration-seconds 72000
get-session-token
The best part about above API Call is you can max out the duration of STS tokens and unlike Roles there is nothing a defender can do to avoid long durations of STS tokens :).

Defender Notified and Makes key inactive

Now, the defender has been notified and has made the key inactive.
Defender made key inactive
As evident get-caller-identity calls will be failing now.

Attacking via STS Tokens

Even though the key has been made inactive, attacker can use the obtained STS tokens and make API Calls.
export AWS_ACCESS_KEY_ID=ASIAYQDT3AH76LMMJXQM
export AWS_SECRET_ACCESS_KEY=JlLnEIgiZ4MwvAiooGqu/7JYFARx1H6zmVwqZA3J
export AWS_SESSION_TOKEN=FwoGZXIvYXdzEIX//////////wEaDO6vFLBpa7FFnQOnkiKCAZGjpfnIPojyGsTsgmCaQxAxAHH21Wapz4iEAZ82PHOopBwi9CddjwWCd2gkeQaBPMhMv+bBdNL93nfT3CudiiraYYhaosii+vmVkQQkZ7Ji2gKDVZCasMPZTLPAcX+pkFx8J+71oqhVgfg3Wec625Vvt65mCeZDJKJb+tj+5sY3Xe8o+eOtlAYyKIwyWEBxYkE3R5N1sf8G8tKrtOal/E1sXO1kFhqRdV2BJaWwFMHZiBI=
STS tokens are still active :)

Learnings

  • As a red teamer, always do get-session-token to validate a key since in case of valid access keys it would give out STS tokens but in case of invalid access keys, it will error out. This way even if defender makes the key inactive, you still have the keys to kingdom :)
  • As a defender, make sure to attach policy to the access key to revoke all STS tokens rather than making the key inactive. Making Key INACTIVE DOESN'T REALLY HELP.
  • To the bot writers, automate in a way to make get-session-token with max duration rather then simply doing get-caller-identity and alerting security teams :)