Authentication
Last updated
Last updated
AWS access keys are used to talk to the API programmatically. When IAM creates resources such as users, user groups, instance profiles, etc., it assigns these unique IDs. The unique IDs show up in the form an internal identifier. It also will typically create an ARN (Amazon Resource Name) in which we can reference certain resources such as users, groups, and policies. The ARNs can help us to identify resources visually. You will typically see these identifiers as they are the used as the "username" for API keys. The most common ones we will see are AKIA and ASIA keys. AKIA keys are permanent access keys, directly assigned to a user, and are non-expiring. One user can have up to two keys. As an attacker, we can add another key to an account and abuse the idea of multiple keys for rotation. The other key you will see is an AWS STS temporary access key. These keys are provided by the STS (Secure Token Server) and are a key type that has an expiration window between one and six hours. These keys are usually delivered on-demand or on request. What requests give these keys? The first mechanism is using the AWS Instance Metadata Service (IMDS). IMDS gives keys for access to resources like EC2 or Lambda. Another mechanism for this is using Federation or SSO. When a third-party resource wants to access a role, an AWS STS ASIA key is given with a six-hour expiration window.
AWS has several login endpoints that exist.
• Root accounts can log in use the following URL: http://console.aws.amazon.com.
• Non-root accounts (normal web accounts) can login using a special URL: https://[account_id_or_alias].signin.aws.amazon.com/console/.
• An example URL will be:
− http://123456789.signin.aws.amazon.com
− http://sec588co.signin.aws.amazon.com
• Federated Workspace login will be located at https://[account_id_or_alias].awsapps.com.
• An example URL will be:
− http://123456789.awsapps.com
− http://sec588co.awsapps.com
Did you notice that it said account id or alias? The reason for this is that providing users or anyone with the account id for an Amazon account can lead to brute-forcing of sensitive account information which you will see later. The alternative solution is to enable the use of an alias that can help reduce the number of people that can see the account numbers easily.
