Skip to content

GetFederationToken

AWS

GetFederationToken

service: AWS - STS
techniques:

Event

Returns temporary security credentials for a federated user, optionally scoped to an inline IAM policy.

Security Context

  • Using valid cloud accounts allows adversaries to blend in with legitimate activity while accessing sensitive resources.
  • Escalating privileges enables adversaries to access sensitive resources and perform administrative actions beyond their initial access level.
  • Stealing application access tokens allows adversaries to impersonate applications and access resources on behalf of legitimate service principals.

Log Source

CloudTrail

Sample Event

Adversarial — persistence. Draco calls sts:GetFederationToken against his own user (draco) with an inline Action: "*", Resource: "*" policy, getting an admin-equivalent federated session that survives any subsequent rotation/deletion of his long-term IAM access key. Classic persistence pattern documented by Hacking The Cloud — DurationSeconds: 43200 (12 hours, the max for an IAM user) gives him time to chain into the console via GetSigninToken. T1078.004 + T1528.

{
"eventVersion": "1.09",
"userIdentity": {
"type": "IAMUser",
"principalId": "AIDADRAC0MALF0YBADGY",
"arn": "arn:aws:iam::555123456789:user/draco",
"accountId": "555123456789",
"accessKeyId": "AKIADRAC0MALF0YEXAMP5",
"userName": "draco"
},
"eventTime": "2026-04-15T21:21:38Z",
"eventSource": "sts.amazonaws.com",
"eventName": "GetFederationToken",
"awsRegion": "us-east-1",
"sourceIPAddress": "203.0.113.66",
"userAgent": "aws-cli/1.18.147 Python/3.7.10 Linux/5.4.0-1045-aws botocore/1.18.6",
"requestParameters": {
"name": "draco-fed",
"policy": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Action\":\"*\",\"Resource\":\"*\"}]}",
"durationSeconds": 43200
},
"responseElements": {
"credentials": {
"accessKeyId": "ASIADRAC0FED0SESS00666",
"expiration": "Apr 16, 2026, 9:21:38 AM",
"sessionToken": "<encoded session token blob>"
},
"federatedUser": {
"arn": "arn:aws:sts::555123456789:federated-user/draco-fed",
"federatedUserId": "555123456789:draco-fed"
},
"packedPolicySize": 4
},
"requestID": "90000000-0000-4000-8000-000100111100",
"eventID": "90000000-0000-4000-8000-000100111101",
"readOnly": false,
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "555123456789",
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.3",
"cipherSuite": "TLS_AES_128_GCM_SHA256",
"clientProvidedHostHeader": "sts.us-east-1.amazonaws.com"
}
}

MITRE ATT&CK Mapping

Tactics: Credential Access Privilege Escalation Initial Access Stealth

Techniques:
  • T1528 — Steal Application Access Token — Adversaries can steal application access tokens as a means of acquiring credentials to access remote systems and resources.
  • T1078.004 — Cloud Accounts — Valid accounts in cloud environments may allow adversaries to perform actions to achieve Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of r...