undefined | Better HN

0 pointsarkadiyt3y ago0 comments

To assume a role with OIDC you'd need to do it from the context of a specific CircleCI job run - getting access to the secrets of a particular CircleCI account alone would not be enough to authenticate to AWS (unlike when you use IAM user credentials).

Even if the attacker had access to env vars from running jobs (which includes the signed token needed to do an OIDC role assumption), those tokens have a short expiry time, and even if an attacker stole that token and performed a role assumption then that session can only be valid for a maximum of 12 hours in AWS, and then you know the attacker is out of your account.

It just significantly reduces, practically nullifies, anything that an attacker can do in your AWS account.

0 comments

rcme3y ago

This only applies if the stolen credentials can’t create roles and can’t modify existing roles.

thinkmassive3y ago

...and don't leave a payload behind, to maintain persistent access (unless I'm missing something?)

Corrado3y ago

This is a good reminder to always follow least-permission best practices.

danw19793y ago

I’d add drift detection on everything IAM / SCP / Org to this list too.

A session token with only a few minutes validity can be enough for someone to make their access permanent.

j / k navigate · click thread line to collapse