News

Open Source Tool Tracks Breaches from Temporary AWS Tokens

• By Gladys Rama
• 04/20/2020

An Amazon Web Services (AWS) feature that lets administrators issue temporary credentials is ripe for breaches, according to security firm CyberArk, which recently launched an open source tool to trace such attacks.

In a blog post last week, CyberArk researcher Omer Tsarfati described a few ways that attackers can take advantage of the AWS Security Token Service (STS), a mechanism that's used by organizations to generate temporary security tokens for select users. Those users can then use their tokens to access parts of the organization's AWS environment within a set window -- anywhere between a few minutes to a few hours.

"Temporary security credentials are not stored with the user but are generated dynamically and provided to the user when requested," AWS explains in its STS user guide. "When (or even before) the temporary security credentials expire, the user can request new credentials, as long as the user requesting them still has permissions to do so."

According to Tsarfati, this ability for a user to request new credentials, potentially indefinitely, poses a security risk. A hacker needs to acquire just one privileged user access key -- perhaps one that was leaked by accident to a public repository -- to be able to make multiple temporary tokens in succession using the AssumeRole API. The multiple temporary tokens effectively act like a permanent one, Tsarfati explained, giving the hacker long-term access to an organization's AWS resources.

Using this method, the hacker can perform a cryptomining attack, Tsarfati said, "or other things like deleting all the VMs in the environment, encrypting data (ransomware in a cloud environment), modifying information in databases, or just keeping persistence for future usage."

Detecting such attacks can be difficult, according to Tsarfati, because it's likely for an AWS environment to have "hundreds" of AssumeRole calls in a single day. Attacks can go unnoticed for longer periods of time, making it harder to trace the source of the breach.

To make detection easier, CyberArk this week launched the SkyWrapper open source tool. SkyWrapper "analyzes behaviors of all the temporary tokens created in a given AWS account," Tsarfati said. "The tool aims to find suspicious creation forms and uses of temporary tokens to detect malicious activity in the account."

SkyWrapper generates an Excel sheet that lists all of the temporary tokens currently in use in an AWS environment, as well as any access key IDs that may have been used to generate new tokens. Running SkyWrapper can help organizations "get a better view of the temporary tokens that exist in your environment, detect the privileged ones, and handle the ones that are marked as suspicious," Tsarfati said. The tool is available on GitHub here.