Token Leakage on Aws
How Token Leakage Manifests in Aws
Token leakage in Aws applications occurs when authentication or authorization tokens are inadvertently exposed through various channels, allowing attackers to impersonate legitimate users or escalate privileges. This manifests in several Aws-specific patterns that developers must recognize.
One common manifestation involves Lambda function invocation logs. When developers log request headers or context objects without proper sanitization, tokens stored in Authorization headers or AWS Cognito identity pools become exposed in CloudWatch logs. An attacker with log access can extract these tokens and use them to make authenticated requests to other services.
exports.handler = async (event) => {
console.log(event.headers.Authorization); // BAD: logs token to CloudWatch
// Attacker can retrieve this from logs and reuse the token
return {
statusCode: 200,
body: JSON.stringify('Hello from Lambda')
};
};Another pattern involves API Gateway integration with Cognito user pools. When token validation fails or is improperly configured, expired or revoked tokens might still be accepted, or worse, tokens from other user pools might be accepted due to misconfigured audience claims.
Auth:
DefaultAuthorizer: AWS_IAM
Authorizers:
MyCognitoAuth:
UserPoolArn: arn:aws:cognito-idp:us-east-1:123456789:userpool/us-east-1_abc123
IdentityTokenSource: method.request.header.Authorization
// Missing audience validation allows tokens from any poolToken leakage also occurs through error responses. Aws applications often include stack traces or debug information in error responses, inadvertently exposing JWT tokens, session identifiers, or AWS temporary credentials. This is particularly problematic in serverless architectures where cold start initialization might expose temporary credentials in logs.
Cross-service token propagation represents another vulnerability. When Aws services pass authentication tokens between Lambda functions, Step Functions, or ECS tasks without proper isolation, a compromised service can intercept tokens meant for downstream services. The AWS SDK's default credential provider chain can sometimes inadvertently use credentials from the wrong source.
import boto3
def vulnerable_function():
client = boto3.client('s3')
# If credentials are improperly scoped, this might use admin creds
# instead of least-privileged IAM role
response = client.list_buckets()
return responseAws-Specific Detection
Detecting token leakage in Aws environments requires a combination of static analysis, runtime monitoring, and specialized scanning tools. The Aws-native approach starts with CloudTrail and CloudWatch integration to monitor for anomalous token usage patterns.
CloudTrail logs can reveal when tokens are being used from unexpected IP addresses, geographic locations, or at unusual times. Setting up CloudWatch alarms for these patterns helps catch token misuse early. However, this reactive approach only works after tokens have already been leaked.
aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=AssumeRole
aws cloudtrail get-trail-status --name my-trail
# Monitor for unusual token usage patterns
aws cloudwatch put-metric-alarm --alarm-name "UnusualTokenUsage" \
--alarm-description "Alarm if tokens used from unexpected locations" \
--metric-name TokenUsage --namespace Security --statistic Sum \
--period 300 --threshold 10 --comparison-operator GreaterThanThresholdFor proactive detection, middleBrick's Aws-specific scanning identifies token leakage patterns that traditional security tools miss. The scanner tests unauthenticated endpoints for token reflection vulnerabilities, checks for insecure token storage in browser localStorage or cookies, and validates that JWT tokens are properly signed and not susceptible to algorithm confusion attacks.
middleBrick's LLM/AI security module is particularly valuable for Aws applications using AI services. It detects system prompt leakage that might contain AWS credentials or API keys, and tests for prompt injection attacks that could exfiltrate tokens from AI service responses.
Code-level detection involves using AWS CodeGuru Reviewer or third-party static analysis tools configured with Aws-specific rules. These tools can identify patterns like:
- Hardcoded credentials in Lambda functions or CloudFormation templates
- Insecure token validation in API Gateway authorizers
- Missing token expiration checks in Cognito integrations
- Improper IAM role assumptions in cross-service communications
- Debug logging that exposes tokens in production environments
Runtime detection benefits from AWS X-Ray tracing to identify when tokens traverse unexpected service boundaries. X-Ray traces can reveal if a token intended for one service is being used by another, indicating potential leakage or misuse.
Aws-Specific Remediation
Remediating token leakage in Aws applications requires a defense-in-depth approach using Aws-native security features. The first layer involves proper token validation and scope limitation using AWS Cognito's built-in capabilities.
For API Gateway integrations with Cognito, implement strict audience validation and token introspection to ensure tokens are valid and haven't been revoked. Use the validate-jwt-policy to automatically reject invalid tokens before they reach your application logic.
Auth:
Authorizers:
CognitoUserPool:
UserPoolArn: arn:aws:cognito-idp:us-east-1:123456789:userpool/us-east-1_abc123
IdentityTokenSource: method.request.header.Authorization
JwtConfiguration:
audience: ['your-app-client-id'] // Specific audience validation
issuer: 'https://cognito-idp.us-east-1.amazonaws.com/us-east-1_abc123'
Validation:
CheckRevocation: true // Verify token hasn't been revokedImplement token rotation and short expiration times using Aws Secrets Manager or Parameter Store for API keys. This limits the damage window if a token is leaked. For Lambda functions, use IAM roles with least privilege and avoid passing credentials between functions.
const AWS = require('aws-sdk');
const secretsManager = new AWS.SecretsManager();
exports.handler = async (event) => {
try {
const secret = await secretsManager.getSecretValue({SecretId: 'MyAppToken'}).promise();
const token = JSON.parse(secret.SecretString).token;
// Validate token before use
if (!isValidToken(token)) {
throw new Error('Invalid token');
}
// Use token for authorized operations
return await makeAuthorizedRequest(token);
} catch (error) {
console.error('Token operation failed:', error.message);
throw error;
}
};For logging and monitoring, implement structured logging that redacts tokens before they reach persistent storage. Use Aws Lambda layers or middleware to automatically sanitize logs. Configure CloudWatch log groups with appropriate retention policies and encryption.
const redactToken = (input) => {
const tokenPattern = /(?:(?:Bearer|Token)[ ]*)((?:(?:eyJ[a-zA-Z0-9_-]{5,}){2,}[a-zA-Z0-9_-]{5,})/g;
return input.replace(tokenPattern, '[REDACTED]');
};
exports.handler = async (event) => {
const sanitizedEvent = redactToken(JSON.stringify(event));
console.log(sanitizedEvent);
return {
statusCode: 200,
body: JSON.stringify('Hello from Lambda')
};
};Implement network isolation using VPC endpoints and security groups to prevent tokens from being transmitted over public networks. Use AWS WAF to block requests containing suspicious token patterns or from known malicious IP ranges.
For applications using AWS Step Functions, implement token isolation between state machines. Each state machine should use its own IAM role with minimal permissions, preventing token escalation through nested executions.
{
"Comment": "Token-safe state machine",
"StartAt": "Task1",
"States": {
"Task1": {
"Type": "Task",
"Resource": "arn:aws:lambda:us-east-1:123456789:function:Task1",
"Next": "Task2",
"Parameters": {
"IAMRole": "arn:aws:iam::123456789:role/Task1Role" // Least privilege
}
}
}
}