AWS
- Use temporary credentials
- Get iam details
- Assume a specific role
- Login with MFA
- Add MFA to user
- Temporary credentials to GUI access
Use temporary credentials
Using temporary credentials issued by the EC2 or lambda identity is not really OPSEC. The only way to use them without raising several alerts is to use them inside the same account.
However, once you have assumed a role you can use them wherever you like.
export AWS_ACCESS_KEY_ID=ASIAXXXXXXXXXXXX
export AWS_SECRET_ACCESS_KEY=XXXXXXXXXXXXXXX
export AWS_SESSION_TOKEN=XXXXXXXXXXXXXXXXXXX
Get iam details
aws iam get-account-authorization-details > iam.json
Assume a specific role
aws sts assume-role --role-arn arn:aws:iam::${accountId}:role/${roleName} --role-session-name ${roleName}
Login with MFA
Retrieve the MFA device ARN:
aws iam list-mfa-devices
The create the session token:
aws sts get-session-token --serial-number ${arnMFADevice} --token-code ${MFACode}
Add MFA to user
Create the MFA device. The seed will be stored in the outfile parameter
aws iam create-virtual-mfa-device --virtual-mfa-device-name ${deviceName} --outfile ${pathToStoreInfo} --bootstrap-method Base32StringSeed
Add the device to the user:
aws iam enable-mfa-device --user-name ${username} --serial-number ${mfaArn} --authentication-code1 ${mfaCode1} --authentication-code2 ${mfaCode2}
Temporary credentials to GUI access
Put your temporary credentials inside the following JSON:
{"sessionId": "ASIAXXXXXX", "sessionKey": "XXXXXXXX", "sessionToken": "XXXXXXXX"}
URL Encode the JSON and inject it in the Session parameter on the following URL:
https://signin.aws.amazon.com/federation?Action=getSigninToken&SessionDuration=43200&Session=${URLEncodedJSON}
Then, retrieve the SigninToken, and use it to connect to the GUI
https://signin.aws.amazon.com/federation?Action=login&&Destination=https%3A%2F%2Fconsole.aws.amazon.com%2Fconsole%2Fhome%3F&SigninToken=${SigninToken}
Your session is good for 12 hours.