Skip to content

AWS Session Token

Service Name: Amazon Web Services

Service Description: Amazon Web Services (AWS) is a comprehensive cloud platform offering over 200 fully featured services from data centers globally. Session tokens are temporary credentials used with AWS Security Token Service (STS) for short-term access to AWS resources.

Service Address: https://aws.amazon.com/

Validation Type: API Auth, NHI Enriched

IP Allow list: IP Restriction is available per service using Security Groups, VPCs, or IAM policy conditions.

Secret Access Scope: Grants temporary programmatic access to AWS resources and services based on the permissions of the IAM role or user that generated the token. Session tokens are typically used with AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY as part of temporary credentials.

Secret Revokement URL: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_disable-perms.html

Secret Example: IQoJb3JpZ2luX2VjECkaCXVzLWVhc3QtMSJHMEUCIQDWvx5O8Xws4jz/an0oyQYVYOF0Pno5Y9KgF/LAjpSy7QIgQi5xMgv/4J93R0xD+hIUQQI5sGCucGVPRIi3+OMDdMsq1QMIFhAAGgw0NTIyNTAyNTEzMzAiDEQrq+DlPQzgWO/EECqpAzXThGXjUC7PIvdwmVgP0hYbSDcYJNy+LUub6o59wlDQlrJZKYA7KZZ6YEzQULJk0tZYYXOJHRZsIm2FzCnNgINeBF6FYQXEJhxgSDQbZBOiJXyWzGLNNVQQDB8P8MRTxP8OTzgZYGcJoJDu0CE6QHNzrZ8W9/9UVQ7xKjsHZP5iCJZUCXUwj8F9pYrJHdKrI/YdTXnXcv9xg0qTCKunBjq0Aun0MNrn5aEGOpkBGMmKA8bZ1s+NjQRNk+Jl7GhCYpkAZUBIDf8w1LaG/QU67AHRRSp5xjj5Bc56OFw1wFbzIq8T3FYZcR9T1jWBZtFOAA8bXepIIAMhKMbsXvwd7TdbNKpBuUHj1nLwgyTNyZ5+GZGMkJQOeCkUKY7KQIVQYPh8nU1LXJsZ2KU7l4/4D6Q9x3TvCTy4PTNNpBEbBHFMrXXRF/LBrjb9SSxqmTiRc7GfOvUJlg==

Suspicious Activity Investigation Instructions:

  • Review CloudTrail logs for unusual API calls or resource access using the session token.
  • Check for unexpected role assumption activities in CloudTrail.
  • Monitor for unauthorized service usage or resource creation.
  • Examine the source IP addresses from which the session token was used.
  • Review the duration and scope of the session token to ensure it aligns with expected usage patterns.

Mitigation Instructions:

  • Session tokens cannot be directly revoked once issued, but you can:
  • Modify the IAM role's trust policy to deny access to the entity that assumed the role.
  • Add a deny policy to the IAM role to restrict its permissions.
  • For compromised IAM users, rotate their access keys immediately.
  • Consider implementing shorter session durations for future token issuance.
  • Implement stricter conditions in IAM policies (e.g., IP restrictions, MFA requirements).
  • Review and update IAM roles to follow the Principle of Least Privilege.
  • Enable AWS CloudTrail and configure alerts for suspicious activities.