Skip to main content

3. Security Token Service - STS


sts:AssumeRole

  • Similar to access keys - they expire and don't belong to the identity
  • Limited Access
  • Used to access AWS resource
  • Requested by an identity (AWS or External)

Trust Policy


Wall around the role image.png

Roles pretty much uses STS :)

Revoking IAM Role Temporary Credentials


Roles can be assumed by many identities NOTE: Temporary credentials cannot be cancelled. What happens if these credentials are leaked?

  • Changing the trust policy has no impact on existing credentials.
  • Changing the permissions policy impacts ALL credentials

FIX: Update your permissions policy with an AWSRevokeOlderSessions inline deny for any sessions older than right meow. Note: Explicit Deny always overrules Allows

Demo: Revoking IAM Role Temporary Credentials


  1. Log into the Management account and create this stack: https://console.aws.amazon.com/cloudformation/home?region=us-east-1#/stacks/create/review?templateURL=https://learn-cantrill-labs.s3.amazonaws.com/awscoursedemos/0038-aws-pro-revoking-temporary-credentials/A4LHostingInc.yaml&stackName=A4L
  2. Gather the IP addresses of the two EC2 instances that have been created.
  3. Open the IP addresses in a new browser tab
  4. Connect to instance A and run curl http://169.254.169.254/latest/meta-data/iam/security-credentials/ image.png
  5. Run this command to grab the security credentials (simulating a bad actor) that basically is the name of your role at the end of it curl http://169.254.169.254/latest/meta-data/iam/security-credentials/BYforLife-InstanceRole-RwrCsdfhsdjh

image.png 6. Replace the values in this script below

SET AWS_ACCESS_KEY_ID=AKID
SET AWS_SECRET_ACCESS_KEY=SAK
SET AWS_SESSION_TOKEN=TOKEN
  1. Run the following commands after setting the variables
aws s3 ls
aws ec2 describe-instances --region us-east-1

Now you can interact with S3 as well as EC2. Remember, you cannot invalidate these credentials

Invalidate the credentials


You could delete the entire BYforLife-Instance Role, but that will affect ALL of the services using that role.

  1. Go to IAM, click on Roles, then click on the Role.
  2. Click on the Revoke Sessions tab image.png
  3. Click Revoke Active Sessions and click through that. image.png
  4. Note there is a new inline policy:
    image.png
  5. Try to interact with the terminal again and grab the aws s3 ls commands and you will find that you cannot use them any more
  6. Delete the Customer inline policy that was created, then try to use the aws s3 ls command again and find that it works.
  7. You won't be able to access the EC2 instances via Session Manager until you restart the instances - the instances will assume the role again with a NEWER credentials that do not fall under the AWSRevokeOlderSessions policy.

Clean up


Delete the Role (it is tainted with the revoke) Delete the Stack