We have previously blogged about the risk and challenges in Securing AWS Temporary Tokens.
In this blog, we will take a fresh look from the MITRE Att&ck chain viewpoint, in order to highlight new insights and specific cloud techniques used by adversaries, in an effort to help users be more effective in detecting, mitigating, and preventing different but similar attacks.
Recap: Securing AWS Temporary Tokens
Let’s summarize the challenges with temporary tokens and the common mitigation steps, before we contrast this with what we can glean from an Att&ck analysis.
Here is the original attack scenario:
The key steps are:
- A permanent Access Key A is compromised
- Key A is used immediately to generate an extra credential i.e. Temporary Token B (for backdoor purposes and obfuscation)
- Key A is used to escalate privileges via AssumeRole, which returns Temporary Token C
- Temporary Token C is then used to access an S3 Bucket
- Temporary Token C is used to exfiltrate data from the S3 Bucket
When mitigating this scenario, the defender first deleted/inactivated Access Key A, then also had to remember to “revoke” Temporary Token C. Revocation in this case meant using a specific role policy to deny all API calls by Temporary Token C based on its creation time.
However, this did not remove the adversary’s access, as there was still the existing Temporary Token B, which could also be used to escalate privileges and generate more temporary tokens (D) in order to continue access to the S3 Bucket: