CrowdStrike has identified a sophisticated technique employed by threat actors to maintain persistence within AWS environments using federated sessions. This method involves exploiting the AWS Security Token Service (STS) to create temporary credentials that outlast the revocation of original IAM user credentials. By using the sts:GetFederationToken API call, attackers can generate federated sessions that inherit permissions from compromised IAM users, allowing them to perform actions even after the base user's API keys are deactivated. The federated sessions persist until they expire, unless the permissions of the base IAM user are explicitly overridden or reduced. CrowdStrike recommends using an explicit deny-all IAM policy or a Service Control Policy (SCP) to effectively revoke the permissions of such federated sessions. This persistence technique highlights the need for organizations to adopt best practices such as minimizing the use of long-lived credentials and applying robust policy controls to prevent unauthorized access and privilege escalation within cloud environments.