Skip to main content

AWS STS GetFederationToken invoked by aws_consoler utility

ID:aws_sts_consoler
Data type:AWS CloudTrail
Severity:
Low
MITRE ATT&CK:TA0003:T1098.001

Description

AlphaSOC detected the GetFederationToken action being invoked with the session name "aws_consoler", indicating use of the aws_consoler utility. This open-source tool is used to generate temporary AWS Console sessions from programmatic access keys by leveraging the GetFederationToken API. While GetFederationToken is a legitimate AWS service that creates temporary credentials with reduced permissions, threat actors exploit it to pivot from compromised AWS access keys to interactive console sessions, obfuscate the original compromised credentials, and bypass console login flows that may enforce additional authentication requirements like MFA.

Impact

Use of aws_consoler suggests that a threat actor has obtained valid AWS access keys and is attempting to expand their access. This technique enables attackers to interact with the AWS environment through the web console rather than just the CLI, making it easier to explore resources, modify configurations, and exfiltrate data. The temporary federated sessions created by this tool help mask which original credentials were compromised and create sessions that may not be subject to the same conditional access policies as standard console logins, potentially evading MFA enforcement.

Severity

SeverityCondition
Low
AWS STS GetFederationToken invoked by aws_consoler utility

Investigation and Remediation

Review AWS CloudTrail logs to identify the IAM user or role that made the GetFederationToken request and trace all actions performed both before and after the call. Examine the userIdentity field to determine which access keys were used to generate the federated token. If this activity was unauthorized, immediately rotate or delete the compromised access keys, invalidate any active sessions for the affected IAM principal, and review CloudTrail logs for all actions taken by both the original credentials and the federated sessions. Assess whether any resources were accessed, modified, or exfiltrated during the attack. Implement SCPs or IAM policies to restrict the use of GetFederationToken if it is not required in your environment, and ensure that programmatic access requires MFA through IAM policy conditions.

Known False Positives

  • Authorized use of aws_consoler or similar federation tools by security teams for legitimate testing or operational purposes.