Are AWS temporary credentials safer to use?

Question

Using IAM roles you can issue temporary credentials to IAM users to access AWS resources which are deemed more secure, primarily because access and secret keys are rotated frequently.

However, you still have to issue standard Access and Secret Key to the user to assume the role which will be saved in ~/.aws/config file. From a security perspective, if the credentials are stolen, it can still be used to assume the role and access the resources.

I am just wondering if temporary credentials prevent such a threat?

PS: I understand the benefits of AWS resources assuming roles, cross-account access and ease of user management.

Answer 1

You could use Amazon Cognito to generate temporary credentials.

Users can authenticate to Cognito via username/password, or using federated logins such as Facebook, Google and OpenID.

Answer 2

I'm thinking like a person who pretends stolen AWS credentials. I crack the computer with standard credentials and try running some AWS CLI commands just to check the resources, i.e.:

aws sqs list-queues

If standard credentials don't allow me to check the resources, my first attempt will fail.

After, I'd try some more critical attempts aiming IAM.

aws sts get-caller-identity
aws iam list-users
aws iam list-user-policies --user-name USERNAME IF I GOT WITH THE PREVIOUS COMMAND
aws iam list-groups-for-user --user-name USERNAME...
aws iam list-group-policies --group-name GROUP NAME
aws iam list-attached-group-policies --group-name GROUP NAME
...

If I don't have any permissions, neither of the above commands won't work. I could give up here, but I have the last resource: command history | grep -i aws. If I'm lucky, I'll probably see a line like this:

aws sts assume-role --role-arn arn:aws:iam::123456789012:role/xaccounts3access --role-session-name s3-access-example

and others commands. Moreover, I'd try again the steps listed above with new credentials.

I'd suggest you take a look at an AWS service called AWS SSO. It provides an app which allows users to retrieve AWS Credentials same way they'd be assuming a role. The best part is that users must log in with username and password and you can enforce MFA authentication.

Users can sign in to the AWS SSO user portal with their existing corporate credentials and get AWS Command Line Interface (CLI) credentials for all their assigned AWS accounts from one place. These AWS CLI credentials expire after 60 minutes automatically to help protect access to your AWS accounts.