Revealing the Inner Structure of AWS Session Tokens

Apparently medium has two seperate “do you want an account” popups now to click out of before you can read. This is a common problem once the development team for a website grows beyond a certain size- the left hand doesn’t know what the right hand is doing. Perhaps we can find the two project leads implementing them, have them fight to the death in some sort of saw trap, and the survivor gets to keep their javascript asking for my email address?

<a href="https:&#x2F;&#x2F;archive.today&#x2F;2024.07.25-150149&#x2F;https:&#x2F;&#x2F;medium.com&#x2F;@TalBeerySec&#x2F;revealing-the-inner-structure-of-aws-session-tokens-a6c76469cba7" rel="nofollow">https:&#x2F;&#x2F;archive.today&#x2F;2024.07.25-150149&#x2F;https:&#x2F;&#x2F;medium.com&#x2F;@...</a>

&gt; Following this revelation, we were able to observe that these keys change on an hourly basis...<p>Is it recommended to rotate keys hourly, or even daily? Or only for something like AWS - I&#x27;ve read&#x2F;been told monthly is more than adequate for reg. web apps

I&#x27;m skeptical of there being any security implications. Signed but not encrypted tokens are effectively plaintext metadata, and token revocation is still an important operation on the service side, preventing zombie token attacks.<p>Reading metadata can be useful to know when a token is expired without hitting a remote service.

Hmm, is this structure shared by all AWS-service session tokens? e.g. Amazon-Connect tokens etc.

tl;dr it’s a standard protobuf payload after ignoring the first byte.