GetSigninToken
Event
Generates a sign-in token used to construct a federation URL for single sign-on to the AWS Management Console.
Security Context
- Stealing application access tokens allows adversaries to impersonate applications and access resources on behalf of legitimate service principals.
- Lateral movement techniques allow adversaries to expand their foothold by accessing additional systems and services within the environment.
Log Source
CloudTrail
Sample Event
MITRE ATT&CK Mapping
Tactics: Credential Access Initial Access Lateral Movement
Techniques:
- T1528 — Steal Application Access Token — Adversaries can steal application access tokens as a means of acquiring credentials to access remote systems and resources. Application access tokens are used to make authorized API requests on behalf of a user or service and are commonly used as a way to access resources in cloud and container-b...