Skip to content

GetSigninToken

AWS

GetSigninToken

service: AWS - SignIn
techniques:

Event

Generates a sign-in token used to construct a federation URL for single sign-on to the AWS Management Console.

Security Context

  • Stealing application access tokens allows adversaries to impersonate applications and access resources on behalf of legitimate service principals.
  • Lateral movement techniques allow adversaries to expand their foothold by accessing additional systems and services within the environment.

Log Source

CloudTrail

Sample Event

Adversarial — pivot to console. Draco — having obtained federated credentials (draco-fed, see aws-getfederationtoken) — calls the federation endpoint’s getSigninToken action to convert his programmatic credentials into a console session. With the resulting token he can construct a signin.aws.amazon.com/federation URL and sign in as a federated user, viewing resources through the console UI rather than CLI. T1528.

{
"eventVersion": "1.09",
"userIdentity": {
"type": "FederatedUser",
"principalId": "555123456789:draco-fed",
"arn": "arn:aws:sts::555123456789:federated-user/draco-fed",
"accountId": "555123456789",
"accessKeyId": "ASIADRAC0FED0SESS00666",
"sessionContext": {
"sessionIssuer": {
"type": "IAMUser",
"principalId": "AIDADRAC0MALF0YBADGY",
"arn": "arn:aws:iam::555123456789:user/draco",
"accountId": "555123456789",
"userName": "draco"
},
"webIdFederationData": {},
"attributes": {
"creationDate": "2026-04-15T21:21:38Z",
"mfaAuthenticated": "false"
}
}
},
"eventTime": "2026-04-15T21:24:05Z",
"eventSource": "signin.amazonaws.com",
"eventName": "GetSigninToken",
"awsRegion": "us-east-1",
"sourceIPAddress": "203.0.113.66",
"userAgent": "Java/1.8.0_382",
"requestParameters": null,
"responseElements": {
"GetSigninToken": "Success"
},
"additionalEventData": {
"MobileVersion": "No",
"MFAUsed": "No"
},
"requestID": "90000000-0000-4000-8000-000101001000",
"eventID": "90000000-0000-4000-8000-000101001001",
"readOnly": false,
"eventType": "AwsConsoleSignIn",
"managementEvent": true,
"recipientAccountId": "555123456789",
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.3",
"cipherSuite": "TLS_AES_128_GCM_SHA256",
"clientProvidedHostHeader": "us-east-1.signin.aws.amazon.com"
}
}

MITRE ATT&CK Mapping

Tactics: Credential Access Initial Access Lateral Movement

Techniques:
  • T1528 — Steal Application Access Token — Adversaries can steal application access tokens as a means of acquiring credentials to access remote systems and resources.
  • T1550.001 — Application Access Token — Adversaries may use stolen application access tokens to bypass the typical authentication process and access restricted accounts, information, or services on remote systems. These tokens are typically stolen from users or services and used in lieu of login credentials.