Links

AWS - STS Persistence

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
Other ways to support HackTricks:

STS

For more information access:

Assume role token

Temporary tokens cannot be listed, so maintaining an active temporary token is a way to maintain persistence.
aws sts get-session-token --duration-seconds 129600
# With MFA
aws sts get-session-token \
--serial-number <mfa-device-name> \
--token-code <code-from-token>
# Hardware device name is usually the number from the back of the device, such as GAHT12345678
# SMS device name is the ARN in AWS, such as arn:aws:iam::123456789012:sms-mfa/username
# Vritual device name is the ARN in AWS, such as arn:aws:iam::123456789012:mfa/username

Role Chain Juggling

Role chaining is an acknowledged AWS feature, often utilized for maintaining stealth persistence. It involves the ability to assume a role which then assumes another, potentially reverting to the initial role in a cyclical manner. Each time a role is assumed, the credentials' expiration field is refreshed. Consequently, if two roles are configured to mutually assume each other, this setup allows for the perpetual renewal of credentials.
You can use this tool to keep the role chaining going:
./aws_role_juggler.py -h
usage: aws_role_juggler.py [-h] [-r ROLE_LIST [ROLE_LIST ...]]
optional arguments:
-h, --help show this help message and exit
-r ROLE_LIST [ROLE_LIST ...], --role-list ROLE_LIST [ROLE_LIST ...]
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
Other ways to support HackTricks: