AWS STS federation token issued with permissions allowing all actions
Description
AlphaSOC detected AWS Security Token Service (STS) federation tokens configured with unrestricted permissions allowing all actions across AWS services. These tokens enable temporary users to perform any operation within the AWS environment, creating significant security risks and violating the principle of least privilege.
Impact
Overly permissive federation tokens enable unauthorized access to and modification of AWS resources and services. Threat actors can exploit these permissions to compromise data integrity, alter infrastructure, create backdoor credentials, establish new IAM entities for persistence, and perform potentially harmful actions within the AWS environment where these permissions apply.
Severity
| Severity | Condition |
|---|---|
Low | AWS STS federation token issued with permissions allowing all actions |
Investigation and Remediation
Examine AWS CloudTrail logs to identify when and by whom the overly permissive federation tokens were issued and track their usage patterns. Review the federation configuration and associated IAM policies to understand the scope of granted permissions. Restrict the federation setup to enforce least-privilege principles and implement granular IAM policies that include only required permissions for specific use cases. Revoke active tokens with excessive permissions and rotate potentially affected credentials. Configure AWS CloudWatch alerts and monitoring for federation activities and token usage patterns that may indicate misuse.