Nam Quang Nguyen
This section will delve into the critical steps to take when an EC2 instance is compromised and its STS credentials are at risk. I'll cover methods to identify compromised instances, extract potential STS credentials, and most importantly, revoke those credentials to mitigate further damage.
Part 1: Understanding STS
What is STS?
Security Token Service (STS) is a component of AWS that provides temporary security credentials. These credentials can be used to access AWS resources without exposing long-term credentials. STS is crucial for enhancing security and flexibility in managing access to your AWS environment.
Unlike IAM, which manages long-term credentials and permissions, STS focuses on generating short-lived credentials for specific use cases.
Use Cases for STS
STS offers a wide range of applications within the AWS ecosystem:
- Similar to access keys
- Generates temporary credentials (sts:AssumeRole)
- Limited access
- Used to access AWS resources
- Requested by an identity (AWS or External)
Part 2: What happens if an EC2 instance is taken control by someone else?
The best practice for running AWS Resource is using IAM Roles. This function attaches an IAM Role for a resource and provides them permission to access other AWS resources instead of using IAM Credentials
In this blog, I will show you how to get credentials from an EC2 instance and use them with the cli.
How to get credentials from EC2 instance
In this example, for simple i created a EC2 instance in a public subnet and allow anything in the security group.
Please specified needed policy with limited permissions in real world.
And from the session console i use curl to get information about EC2 metadata. After created an EC2, i access to EC2 by that local IP address 169.254.169.254
# Get role name from metadata
curl http://169.254.169.254/latest/meta-data/iam/security-credentials
# Get the credentials with role name
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/REPLACE_ME
The credentials is something like this
{
"Code" : "Success",
"LastUpdated" : "2024-08-03T06:06:45Z",
"Type" : "AWS-HMAC",
"AccessKeyId" : "ASIAWDEGI6ESSSXVEBFW",
"SecretAccessKey" : "KwN5anzRvzoxtqzW6k6poMSc0T8zVIk1lnAmr",
"Token" : "IQoJb3JpZ2luX2VjELf//////////Wgh/dD4mbF4wRNTeW/qWkOWil0FuI6t5pcnBy/kUO7eOCQ==",
"Expiration" : "2024-08-03T12:40:56Z"
}
After get credentials, you can passing it into the local credentials of the AWS CLI using command aws configure. Then you can use Terraform to create a maximum instance type for mining bitcoin 👿.
Solutions
Remember, you can not manually invalidate temporary credentials. They only expire when they expire. But because changing the permissions policy affects everyone, you can add a condition element to it denying anyone access to AWS who assumed the role before a certain date and time.
And then you can go to the IAM Role then choose the last tab Revoke sessions and revoke them.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": [
"*"
],
"Resource": [
"*"
],
"Condition": {
"DateLessThan": {
"aws:TokenIssueTime": "[policy creation time]"
}
}
}
]
}
After that, all temporary credentials will be invalid, you can go back to EC2, and now you can not access to the EC2 instance. To resolve this, we can stop and start the ec2 instance again to get the new temporary credentials.
