Threat actors can exploit a vulnerability in Amazon Web Services Security Token Service (AWS STS) to infiltrate cloud accounts, as highlighted by researchers from Red Canary. The AWS STS allows attackers to impersonate user identities and roles in cloud environments, posing a serious security risk. Attackers can steal long-term IAM tokens through methods like malware infections and phishing, using these to assess roles and privileges through API calls. Once an attacker gains access, they can utilize Multi-Factor Authentication (MFA)-authenticated STS tokens to create new short-term tokens and execute post-exploitation actions, including data exfiltration. To mitigate such abuses, the researchers recommend logging CloudTrail event data, detecting role-chaining events and MFA abuse, and regularly rotating long-term IAM user access keys.
AWS STS serves as a critical security control for limiting the use of static credentials and access duration across cloud infrastructure. However, the researchers point out that certain IAM configurations, common across organizations, may allow adversaries to create and misuse STS tokens, enabling unauthorized access and malicious activities. This highlights the importance of organizations implementing robust security measures, including continuous monitoring, to detect and prevent such AWS token abuses. As cloud environments become increasingly integral to business operations, securing access controls and regularly updating security protocols remains essential in thwarting potential threats.