GetSigninToken
AWS
GetSigninToken
Event
Generates a sign-in token used to construct a federation URL for single sign-on to the AWS Management Console.
Security Context
- Stealing application access tokens allows adversaries to impersonate applications and access resources on behalf of legitimate service principals.
- Lateral movement techniques allow adversaries to expand their foothold by accessing additional systems and services within the environment.
Log Source
CloudTrail
Sample Event
Adversarial — pivot to console. Draco — having obtained federated credentials (draco-fed, see aws-getfederationtoken) — calls the federation endpoint’s getSigninToken action to convert his programmatic credentials into a console session. With the resulting token he can construct a signin.aws.amazon.com/federation URL and sign in as a federated user, viewing resources through the console UI rather than CLI. T1528.
{ "eventVersion": "1.09", "userIdentity": { "type": "FederatedUser", "principalId": "555123456789:draco-fed", "arn": "arn:aws:sts::555123456789:federated-user/draco-fed", "accountId": "555123456789", "accessKeyId": "ASIADRAC0FED0SESS00666", "sessionContext": { "sessionIssuer": { "type": "IAMUser", "principalId": "AIDADRAC0MALF0YBADGY", "arn": "arn:aws:iam::555123456789:user/draco", "accountId": "555123456789", "userName": "draco" }, "webIdFederationData": {}, "attributes": { "creationDate": "2026-04-15T21:21:38Z", "mfaAuthenticated": "false" } } }, "eventTime": "2026-04-15T21:24:05Z", "eventSource": "signin.amazonaws.com", "eventName": "GetSigninToken", "awsRegion": "us-east-1", "sourceIPAddress": "203.0.113.66", "userAgent": "Java/1.8.0_382", "requestParameters": null, "responseElements": { "GetSigninToken": "Success" }, "additionalEventData": { "MobileVersion": "No", "MFAUsed": "No" }, "requestID": "90000000-0000-4000-8000-000101001000", "eventID": "90000000-0000-4000-8000-000101001001", "readOnly": false, "eventType": "AwsConsoleSignIn", "managementEvent": true, "recipientAccountId": "555123456789", "eventCategory": "Management", "tlsDetails": { "tlsVersion": "TLSv1.3", "cipherSuite": "TLS_AES_128_GCM_SHA256", "clientProvidedHostHeader": "us-east-1.signin.aws.amazon.com" }}MITRE ATT&CK Mapping
Tactics: Credential Access Initial Access Lateral Movement
Techniques:
- T1528 — Steal Application Access Token — Adversaries can steal application access tokens as a means of acquiring credentials to access remote systems and resources.
- T1550.001 — Application Access Token — Adversaries may use stolen application access tokens to bypass the typical authentication process and access restricted accounts, information, or services on remote systems. These tokens are typically stolen from users or services and used in lieu of login credentials.