2

I have a lambda function that uses AWS STS to generate temporary credentials and then sends the access token via HTTP to a Web API in an EC2 instance.

Is there a way to validate the received access token from the API?

ayou392
  • 187
  • 2
  • 10

2 Answers2

3

Calling STS GetCallerIdentity will tell you if the credentials are usable to make API calls, and it will identify the underlying AWS account and assumed role.

For example:

aws sts get-caller-identity
{
    "UserId": "AROAABCDEFGHIJKLMNOPQ:xyz",
    "Account": "123456781234",
    "Arn": "arn:aws:sts::123456781234:assumed-role/somerole"
}

Notes about the response object:

  • Account is the AWS account number of the account that owns/contains the calling entity
  • UserId is the unique identifier of the calling entity. The exact value depends on the type of entity that is making the call.
jarmod
  • 71,565
  • 16
  • 115
  • 122
  • The question is how to check whether a token received by the Web API was actualy generated by a legitemit user (lambda) or someone else (invalid access token) – ayou392 Nov 04 '20 at 16:15
  • What is the purpose of sending an access key on its own? What use do you intend to make of it (in the absence of secret key and session token)? – jarmod Nov 04 '20 at 16:19
  • AWS security architecture assures you that any token generated by IAM represents a valid token, and that the given service that generated the token had permissions to do so. If you are concerned that some entity with elevated privileges generated a token, and that that token is not to be trusted, then you have a security configuration problem. You would need to check CloudWatch to see what entity generated the token, and revoke its permissions. – Rodrigo Murillo Nov 04 '20 at 16:20
  • 1
    Anyone can generate a token that appears to be an AWS access key. In the absence of a record made by you of vended STS credentials, and without the corresponding secret key and session token, I don't see how you can validate an access key. Perhaps you could leverage CloudTrail to capture the creation of STS credentials? – jarmod Nov 04 '20 at 16:25
  • Does the UserID refer to the temporary credentials or the ressource which requested them – ayou392 Nov 05 '20 at 16:53
  • Have added info about the [response object](https://docs.aws.amazon.com/STS/latest/APIReference/API_GetCallerIdentity.html#API_GetCallerIdentity_ResponseElements) and pointer to documentation. – jarmod Nov 05 '20 at 17:11
-1

AWS security architecture assures you that any token generated by IAM represents a valid token, and that the given service that generated the token had permissions to do so. If you are concerned that some entity with elevated privileges generated a token, and that that token is not to be trusted, then you have a security configuration problem. You would need to check CloudWatch to see what entity generated the token, and revoke its permissions.

As @jarmod suggests, if a given token works, then it is valid. That is all you can know about its validity.

jarmod
  • 71,565
  • 16
  • 115
  • 122
Rodrigo Murillo
  • 13,080
  • 2
  • 29
  • 50