AWS STS federation token issued with access to all resources
Description
AlphaSOC detected AWS Security Token Service (STS) federation tokens issued with overly broad permissions across all AWS resources. This indicates improperly configured federation policies that grant unrestricted access through temporary credentials, violating the principle of least privilege and creating significant security exposure.
Impact
Overly permissive federation tokens create significant security risks by enabling unauthorized access to AWS services and resources. Threat actors can exploit these tokens to perform lateral movement, escalate privileges, and establish persistent access to sensitive assets and data across the entire AWS environment.
Severity
| Severity | Condition |
|---|---|
Low | AWS STS federation token issued with access to all resources |
Investigation and Remediation
Review AWS CloudTrail logs to identify when and by whom the overly permissive federation tokens were issued, including the specific API calls and policies involved. Analyze the IAM roles, policies, and trust relationships associated with the federation configuration. Implement proper access controls based on least-privilege principles and revoke any active tokens with excessive permissions. Rotate any potentially compromised credentials and monitor for unauthorized resource access or configuration changes. Establish ongoing monitoring for federation token issuance and implement policy validation to prevent future occurrences.