-
Notifications
You must be signed in to change notification settings - Fork 12
IAM凭据验证
404tk edited this page May 7, 2026
·
2 revisions
iam-credential-check在授权环境内对身份签发 / 列举 / 撤销长期凭据(IAM 用户的 access key、Azure AD 应用的 password credential、GCP service account 的 key),用于验证防御平台对长期凭据生命周期类信号的检测能力:
- IAM 平台是否能识别"新签发凭据"事件并关联到请求者 / 目标身份 / 时间
- 调查工作流能否回放"凭据签发 → 在何处被使用 → 何时被撤销"的完整生命周期
- 检测规则是否覆盖"高风险凭据持有时间过长"或"机器身份签发新凭据"等场景
⚠️ 责任使用:create会真实签发可登录的长期凭据,secret 仅本次响应可见、不会再次返回。验证完成后请立即delete撤销,并按宿主机安全策略处理 secret 落地痕迹。
全部 9 家通用:
| 厂商 | 实现 | 备注 |
|---|---|---|
| alibaba | RAM CreateAccessKey / DeleteAccessKey / ListAccessKeys
|
|
| aws | IAM CreateAccessKey / DeleteAccessKey / ListAccessKeys
|
|
| tencent | CAM CreateAccessKey / DeleteAccessKey / ListAccessKeys
|
|
| huawei | IAM 永久 AccessKey lifecycle(CreatePermanentAccessKey 系列) |
|
| azure | Microsoft Graph applications/{id}/addPassword / removePassword
|
principal 是 Azure AD 应用 objectId / appId |
| gcp | IAM service account key lifecycle | principal 是 SA email |
| volcengine | IAM CreateAccessKey / DeleteAccessKey / ListAccessKeys
|
|
| jdcloud | IAM sub user :createAccessKey / :deleteAccessKey / :describeAccessKeys
|
principal 是子用户名称 |
| ucloud | IAM CreateUserApiKey / DeleteUserApiKey / ListUserApiKeys
|
principal 是子用户名称 |
set metadata <action> <principal> [credential-id]
-
action:list/create/delete -
principal:身份名(IAM 用户名 / SA email / Azure AD 应用 objectId) -
credential-id:仅delete用,是 access key ID / Azure password keyId / GCP key short ID
示例:
set metadata list ctk-bot # 列长期凭据
set metadata create ctk-bot # 签发新凭据,输出含 secret
set metadata delete ctk-bot AKIAIOSFODNN7EXAMPLE # 撤销指定凭据
set metadata list ctk-demo@ctk-demo-project.iam.gserviceaccount.com # GCP SA email
set metadata create 11111111-2222-3333-4444-000000000099 # Azure 应用 objectId
签发:
ctk > aws > set payload iam-credential-check
payload => iam-credential-check
ctk > aws > set metadata create ctk-bot
metadata => create ctk-bot
ctk > aws > run
[!] About to run: iam-credential-check (sensitive)
Provider: aws
Resource: ctk-bot
Proceed? [y/N]: y
CredentialID CredentialData
------------ --------------
AKIATESTMINTCTK000001 wJalrXUtnFEMI/CTKMINT/EXAMPLE001
[+] 12:00:00 minted access key AKIATESTMINTCTK000001 for ctk-bot
i️ secret 仅此次响应可见,云侧不会再次返回。如未及时记录请重新签发并撤销旧的。
列举:
ctk > aws > set metadata list ctk-bot
metadata => list ctk-bot
ctk > aws > run
CredentialID Status ValidAfter
------------ ------ ----------
AKIATESTMINTCTK000001 Active 2026年04月22日 12:00:00
撤销:
ctk > aws > set metadata delete ctk-bot AKIATESTMINTCTK000001
metadata => delete ctk-bot AKIATESTMINTCTK000001
ctk > aws > run
[+] 12:01:30 revoked access key AKIATESTMINTCTK000001 on ctk-bot
create / delete 都需要 y/N 确认(敏感动作)。list 是只读,不弹确认。
ctk aws keyls ctk-bot -P lab-aws --json ctk aws keyadd ctk-bot -P lab-aws -y ctk aws keydel ctk-bot AKIATESTMINTCTK000001 -P lab-aws -y
各云控制面应记录"签发 / 撤销动作 + 请求方身份 + 目标身份 + 凭据 ID + 时间 + 源 IP"完整链路:
- AWS:CloudTrail
CreateAccessKey/DeleteAccessKey - 阿里:ActionTrail
CreateAccessKey/DeleteAccessKey - 腾讯:CloudAudit
CreateAccessKey/DeleteAccessKey - 华为:CTS
CreatePermanentAccessKey/DeletePermanentAccessKey - Azure:Activity Log
Microsoft.GraphServices/applications/passwordCredentials/...(Graph 写日志可能进 AAD audit) - GCP:Cloud Audit
google.iam.admin.v1.CreateServiceAccountKey/.DeleteServiceAccountKey - 火山:Audit
CreateAccessKey/DeleteAccessKey - 京东云:ActionTrail 中 IAM sub user access key 创建 / 删除事件
- UCloud:UAct 中
CreateUserApiKey/DeleteUserApiKey
平台若没有"新签发凭据"的实时告警,或缺少"凭据持有时长 / 凭据使用源 IP 与签发源 IP 偏离"等关联字段,都属于可验证的检测覆盖缺口。
iam-credential-check 在 demo 回放模式下 9 家全部可跑通 list / create / delete。GCP demo 的 create 会返回一份内嵌占位 private key 的 base64 service account JSON,仅作演示用,不可用于真实认证。