Skip to content

GetSessionToken

AWS

GetSessionToken

service: AWS - STS
techniques:

Event

Returns temporary credentials for an IAM user, typically used to satisfy an MFA requirement for subsequent API calls.

Security Context

  • Using valid cloud accounts allows adversaries to blend in with legitimate activity while accessing sensitive resources.
  • Escalating privileges enables adversaries to access sensitive resources and perform administrative actions beyond their initial access level.
  • Stealing application access tokens allows adversaries to impersonate applications and access resources on behalf of legitimate service principals.

Log Source

CloudTrail

Sample Event

Legitimate — MFA-protected programmatic access. Hermione (IAM admin) calls sts:GetSessionToken with her YubiKey TOTP code to obtain MFA-elevated short-term credentials so she can run a privileged IAM task that requires aws:MultiFactorAuthPresent. Defaulted to legitimate to balance the shard’s narrative — GetSessionToken is most commonly seen as benign MFA-elevation traffic; the adversarial signal is when it appears from a non-corporate IP or with no serialNumber.

{
"eventVersion": "1.09",
"userIdentity": {
"type": "IAMUser",
"principalId": "AIDAHERM10NE000ADM1N",
"arn": "arn:aws:iam::555123456789:user/hermione",
"accountId": "555123456789",
"accessKeyId": "AKIAHERM10NEEXAMPLE1",
"userName": "hermione"
},
"eventTime": "2026-04-15T14:11:09Z",
"eventSource": "sts.amazonaws.com",
"eventName": "GetSessionToken",
"awsRegion": "us-east-1",
"sourceIPAddress": "198.51.100.42",
"userAgent": "aws-cli/2.15.30 Python/3.11.6 Linux/5.15.0-1052-aws exe/x86_64.ubuntu.22 prompt/off command/sts.get-session-token",
"requestParameters": {
"serialNumber": "arn:aws:iam::555123456789:mfa/hermione-yubikey",
"durationSeconds": 43200
},
"responseElements": null,
"requestID": "90000000-0000-4000-8000-000101000110",
"eventID": "90000000-0000-4000-8000-000101000111",
"readOnly": true,
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "555123456789",
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.3",
"cipherSuite": "TLS_AES_128_GCM_SHA256",
"clientProvidedHostHeader": "sts.us-east-1.amazonaws.com"
}
}

MITRE ATT&CK Mapping

Tactics: Credential Access Privilege Escalation Stealth

Techniques:
  • T1078.004 — Cloud Accounts — Valid accounts in cloud environments may allow adversaries to perform actions to achieve Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of r...
  • T1528 — Steal Application Access Token — Adversaries can steal application access tokens as a means of acquiring credentials to access remote systems and resources.