STS Session Token Persistence

Required Permissions

Description

The sts:GetSessionToken API returns temporary credentials (access key, secret key, and session token) that are valid for up to 36 hours for IAM users. These temporary credentials have a critical property: they remain valid even if the original access key that generated them is deleted.

This creates a persistence window:

1. Attacker compromises an IAM user's access key 2. Attacker calls sts:GetSessionToken to generate temporary credentials valid for 36 hours 3. Defender detects the compromise and deletes or rotates the original access key 4. Attacker continues operating with the session token for up to 36 hours

The session token credentials do not appear in IAM credential reports and cannot be individually revoked. The only way to invalidate them is to revoke all active sessions for the IAM user's role or delete the IAM user entirely.

Similarly, sts:AssumeRole tokens can be valid for up to 12 hours (or longer with chained role sessions), and federation tokens from sts:GetFederationToken can last up to 36 hours. Each of these creates a persistence window that survives credential rotation.

Impact

Continued access for up to 36 hours after the original credentials are rotated or deleted. Tokens are invisible in IAM credential reports and cannot be individually revoked.

Detection

Monitor for GetSessionToken and GetFederationToken calls, especially those requesting maximum duration. Track API calls made with temporary credentials after the source key has been deleted.

Mitigation

Use IAM role session policies to limit token duration. Revoke all active sessions when responding to compromises (aws iam put-role-policy with a deny-all for sessions older than a timestamp). Implement automated credential rotation with short maximum session durations.

Related Techniques