Securing the Cloud: Red Canary's Insightful Report on STS Abuse Tactics

Monitoring access tokens in the cloud, especially as adversaries strategically establish their access, is a crucial element of cloud security. A recent analysis explores the vital role of the Secure Token Service (STS) in AWS monitoring, as detailed in a threat detection blog by Red Canary. The blog sheds light on common abuses of the STS service, revealing how threat actors exploit it to impersonate user identities and roles within AWS.

The AWS STS is a pivotal web service designed to provision short-term access tokens to users, enhancing security through fixed durations and user assignment. Red Canary underscores the significance of preventing token theft and outlines how adversaries exploit the STS to impersonate user identities and roles, initiating a cascade of threats within AWS. The analysis provides insights into the methodologies employed by adversaries to compromise long-term IAM tokens (AKIA). Typical initial access vectors account for the theft of IAM tokens such as malware infections, phishing emails, and the exposure of credentials in public repositories. Once compromised, adversaries run API commands to understand their level of privileges, validate and analyze the life of their token, and establish a mechanism of persistence potentially through a new IAM user.

Red Canary delves into the creation of short-term STS tokens (ASIA), explaining how adversaries can leverage legitimate IAM users with AKIA tokens to request ASIA tokens through the sts:GetSessionToken API call. Monitoring triggers, such as commands coinciding with console logins, are established to detect ASIA tokens, enhancing the understanding of potential threats. Illustrating a potential intrusion scenario, the analysis outlines how adversaries strategically generate long-term AKIA tokens for generating short-term ASIA tokens, with backup tokens ensuring persistence. The timeline includes data exfiltration from an S3 bucket using ASIA tokens and rotating through additional short-term tokens for sustained intrusion.

Extended insights cover the detection and analysis of stolen tokens within EC2 instance profiles and IAM user sessions. Specific instances, such as EC2 profiles interacting with IAM services and IAM users assuming distinct roles, are scrutinized. This comprehensive analysis from Red Canary provides security teams with an understanding of AWS STS abuse, from compromise to detection and response. The insights derived from the Red Canary analysis offer actionable strategies for securing AWS environments, mitigating threats, and responding effectively to compromised identities.