Skip to main content
Room Banner
Back to all walkthroughs
Room Icon

STS Credentials Lab

Max room.

Learn how to assume roles and get temporary credentials.

medium

30 min

371

User profile photo.
User profile photo.
User profile photo.

To access material, start machines and answer questions login.

Understanding how credentials are generated and can be leveraged is critical for understanding how to attack or defend a cloud account or application.  In this room, we will walk through the creation of a new User and an Access Key for that user. We will then use that Key to assume a different Role to get temporary credentials. You can refer back to the Access Key and How services get credentials tasks in the Credentials Room.

AWS Identity Access Management (IAM) Overview.
In the above diagram, the Group, Policy (permissions), and the Role already exist. You will be creating the User and Long-term security credential. From your AttackBox you will use the long-term credential to authenticate to the Security Token Service () (opens in new tab) to assume the role. The Service will return to you the Temporary security credentials required to authenticate to as that role. 

If you haven't already done so, click the orange Cloud Details button at the top-right of the page, generate the Cloud Environment, and use the Credentials provided to access your TryHackMe Cloud ( console).

For this room, make sure to start the AttackBox, and prepare the CloudShell in your account. We will create a user in the CloudShell, then simulate the exfiltrated or on-prem usage of the credentials on your AttackBox. 

Learning Objectives
In this room, students will learn:
  • how to create an User
  • how to create long-term access keys
  • how to export long-term access keys as shell environment variables
  • how to validate the identity that is currently active
  • how to assume a new role using the aws sts assume-role command
  • how to export temporary session credentials as shell environment variables
Answer the questions below
My AttackBox and CloudShell are ready to go!