AWS Session Token
Service Name: Amazon Web Services
Service Description: Amazon Web Services (AWS) is a comprehensive cloud platform offering over 200 fully featured services from data centers globally. Session tokens are temporary credentials used with AWS Security Token Service (STS) for short-term access to AWS resources.
Service Address: https://aws.amazon.com/
Validation Type: API Auth, NHI Enriched
IP Allow list: IP Restriction is available per service using Security Groups, VPCs, or IAM policy conditions.
Secret Access Scope: Grants temporary programmatic access to AWS resources and services based on the permissions of the IAM role or user that generated the token. Session tokens are typically used with AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY as part of temporary credentials.
Secret Revokement URL: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_disable-perms.html
Secret Example: IQoJb3JpZ2luX2VjECkaCXVzLWVhc3QtMSJHMEUCIQDWvx5O8Xws4jz/an0oyQYVYOF0Pno5Y9KgF/LAjpSy7QIgQi5xMgv/4J93R0xD+hIUQQI5sGCucGVPRIi3+OMDdMsq1QMIFhAAGgw0NTIyNTAyNTEzMzAiDEQrq+DlPQzgWO/EECqpAzXThGXjUC7PIvdwmVgP0hYbSDcYJNy+LUub6o59wlDQlrJZKYA7KZZ6YEzQULJk0tZYYXOJHRZsIm2FzCnNgINeBF6FYQXEJhxgSDQbZBOiJXyWzGLNNVQQDB8P8MRTxP8OTzgZYGcJoJDu0CE6QHNzrZ8W9/9UVQ7xKjsHZP5iCJZUCXUwj8F9pYrJHdKrI/YdTXnXcv9xg0qTCKunBjq0Aun0MNrn5aEGOpkBGMmKA8bZ1s+NjQRNk+Jl7GhCYpkAZUBIDf8w1LaG/QU67AHRRSp5xjj5Bc56OFw1wFbzIq8T3FYZcR9T1jWBZtFOAA8bXepIIAMhKMbsXvwd7TdbNKpBuUHj1nLwgyTNyZ5+GZGMkJQOeCkUKY7KQIVQYPh8nU1LXJsZ2KU7l4/4D6Q9x3TvCTy4PTNNpBEbBHFMrXXRF/LBrjb9SSxqmTiRc7GfOvUJlg==
Suspicious Activity Investigation Instructions:
- Review CloudTrail logs for unusual API calls or resource access using the session token.
- Check for unexpected role assumption activities in CloudTrail.
- Monitor for unauthorized service usage or resource creation.
- Examine the source IP addresses from which the session token was used.
- Review the duration and scope of the session token to ensure it aligns with expected usage patterns.
Mitigation Instructions:
- Session tokens cannot be directly revoked once issued, but you can:
- Modify the IAM role's trust policy to deny access to the entity that assumed the role.
- Add a deny policy to the IAM role to restrict its permissions.
- For compromised IAM users, rotate their access keys immediately.
- Consider implementing shorter session durations for future token issuance.
- Implement stricter conditions in IAM policies (e.g., IP restrictions, MFA requirements).
- Review and update IAM roles to follow the Principle of Least Privilege.
- Enable AWS CloudTrail and configure alerts for suspicious activities.