Home / Companies / Crowdstrike / Blog / Post Details
Content Deep Dive

How Adversaries Can Persist with AWS User Federation

Blog post from Crowdstrike

Post Details
Company
Date Published
Author
AWS
Word Count
4,011
Company Posts That Month
Language
English
Hacker News Points
-
Post removed?
No
Summary

CrowdStrike has identified a sophisticated technique employed by threat actors to maintain persistence within AWS environments using federated sessions. This method involves exploiting the AWS Security Token Service (STS) to create temporary credentials that outlast the revocation of original IAM user credentials. By using the sts:GetFederationToken API call, attackers can generate federated sessions that inherit permissions from compromised IAM users, allowing them to perform actions even after the base user's API keys are deactivated. The federated sessions persist until they expire, unless the permissions of the base IAM user are explicitly overridden or reduced. CrowdStrike recommends using an explicit deny-all IAM policy or a Service Control Policy (SCP) to effectively revoke the permissions of such federated sessions. This persistence technique highlights the need for organizations to adopt best practices such as minimizing the use of long-lived credentials and applying robust policy controls to prevent unauthorized access and privilege escalation within cloud environments.

Trends Found in this Post
Trend Post Mentions Total Month Mentions Posts Companies MoM
AI Agents 1 2,394 1,321 1 -
Zero Trust 1 1,843 1,331 3 +61333%
Use This Data

Use this post, company, and trend context to find content marketing opportunities, perform competitive analysis, or address product feature gaps via the Plushcap MCP server or the Plushcap API.