Let’s talk about sts:GetFederationToken and why we should disable it within our AWS Accounts. This call allows the creation of temporary access credentials that can be associated to any user identity. These credentials are difficult to revoke from the console, and cannot be revoked using the standard deny all credentials created before X time policy. It is much better to use standard built in identity providers like the OpenID Connect for CICD Operations or IAM Identity Center for federated user access. We’ll walk through how this call works, what it was originally intended for, and some threat detection.
I recently competed at the 4th Cyberseed event at UConn in the
application development competition. The challenge was to build a secure
application according to specific specifications before the competition. Then
the individual teams would attack each others apps in order to collect various
flags placed in our apps. This year was the first for this particular event,
and the challenge was to build a secure medical repository. The teams were
then given the source for each others apps a couple of days before the event.
This event was a lot of fun and lead to a lot of lessons about secure app
development for me.