To access material, start machines and answer questions login.
Understanding how credentials are generated and can be leveraged is critical for understanding how to attack or defend a cloud account or application. In this room, we will walk through the creation of a new User and an Access Key for that user. We will then use that Key to assume a different Role to get temporary credentials. You can refer back to the Access Key and How services get credentials tasks in the Credentials Room.

In the above diagram, the Group, Policy (permissions), and the Role already exist. You will be creating the User and Long-term security credential. From your AttackBox you will use the long-term credential to authenticate to the Security Token Service () (opens in new tab) to assume the role. The Service will return to you the Temporary security credentials required to authenticate to as that role.
If you haven't already done so, click the orange Cloud Details button at the top-right of the page, generate the Cloud Environment, and use the Credentials provided to access your TryHackMe Cloud ( console).
For this room, make sure to start the AttackBox, and prepare the CloudShell in your account. We will create a user in the CloudShell, then simulate the exfiltrated or on-prem usage of the credentials on your AttackBox.
Learning Objectives
In this room, students will learn:
- how to create an User
- how to create long-term access keys
- how to export long-term access keys as shell environment variables
- how to validate the identity that is currently active
- how to assume a new role using the
aws sts assume-rolecommand - how to export temporary session credentials as shell environment variables
Answer the questions below
My AttackBox and CloudShell are ready to go!
Ready to learn Cyber Security?
The STS Credentials Lab room is only available for Premium or Max subscribers. Signup now to access more than 500 free rooms and learn cyber security through a fun, interactive learning environment.
Already have an account? Log in

