Hello Reader,

  This week the real question is, can anyone stop Ilya Kobzar's winning streak? Here again is he back with another winning answer and some very thorough research all about what happens when credentials are taken via IMDS on AWS.

The Challenge:

 AWS IAM Roles are often targeted by threat actors after they get access to a running virtual machine. While AWS IMDS v2 may prevent some attacks the functionality is still there and is being actively exploited to get credentials and act as a service or role. In this challenge I want you to try the following and document what logs are left that could be used to detect or determine these actions occurred. 

1. Retrieve a temporary AWS access key credential from IMDS v1

2. Retrieve a temporary AWS access key credential from IMDS v2

3. Use the temporary access key within an AWS vm

4. Use the temporary access key from outside of AWS

From all four scenarios determine what logs are created.

bonus: Try and document other scenarios of theft and use and additional sources of evidence.  

The winning answer:

https://www.ilyakobzar.com/p/ec2-iam-role-sts-credentials-compromise