GetFederationToken
Event
Returns temporary security credentials for a federated user, optionally scoped to an inline IAM policy.
Security Context
- Using valid cloud accounts allows adversaries to blend in with legitimate activity while accessing sensitive resources.
- Escalating privileges enables adversaries to access sensitive resources and perform administrative actions beyond their initial access level.
- Stealing application access tokens allows adversaries to impersonate applications and access resources on behalf of legitimate service principals.
Log Source
CloudTrail
Sample Event
MITRE ATT&CK Mapping
Tactics: Credential Access Privilege Escalation Initial Access
Techniques:
- T1528 — Steal Application Access Token — Adversaries can steal application access tokens as a means of acquiring credentials to access remote systems and resources. Application access tokens are used to make authorized API requests on behalf of a user or service and are commonly used as a way to access resources in cloud and container-b...
- T1078.004 — Cloud Accounts — Valid accounts in cloud environments may allow adversaries to perform actions to achieve Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of r...