There are typically two types of credentials you will be working with, long term (access keys) and short term.
AKIA and will be 20 characters longASIA, be 20 characters long, and also have a 40 character secret key. In addition, temporary security credentials will also have a session token.To do this with long term credentials, set the following environment variables.
export AWS_ACCESS_KEY_ID=AKIAEXAMPLEEXAMPLEEE
export AWS_SECRET_ACCESS_KEY=EXAMPLEEXAMPLEEXAMPLEEXAMPLEEXAMPLESEXA
To do this with short term credentials, set the following environment variables.
export AWS_ACCESS_KEY_ID=ASIAEXAMPLEEXAMPLEEE
export AWS_SECRET_ACCESS_KEY=EXAMPLEEXAMPLEEXAMPLEEXAMPLEEXAMPLESEXAM
export AWS_SESSION_TOKEN=EXAMPLEEXAMPLEEXAMPLE...<snip>
%USERPROFILE%\\.aws\\credentials
~/.aws/credentials
$ aws sts get-caller-identity
{
"UserId": "AROAEXAMPLEEXAMPLEEXA:Nick",
"Account": "123456789123",
"Arn": "arn:aws:sts::123456789123:assumed-role/blah/Nick"
}
If you are attempting to maintain stealth, sts:GetCallerIdentity may be a risk. This API call logs to CloudTrail which means that defenders will have a log with additional details that this occurred. To get around this, we can make use of data events .
If you are using a "pentesting" Linux distribution such as Kali Linux, Parrot Security, or Pentoo Linux you will immediately trigger a PenTest GuardDuty finding. This is because the AWS CLI will send along a user agent string which contains information about the operating system making the API call.
Resources/credit:
https://hackingthe.cloud/aws/general-knowledge/using_stolen_iam_credentials/