Updated the guidance in this particular page on console access.

content/aws/post_exploitation/create_a_console_session_from_iam_credentials.md

@@ -21,6 +21,8 @@ description: "How to use IAM credentials to create an AWS Console session."
     [aws_consoler](https://github.com/NetSPI/aws_consoler): A utility to convert your AWS CLI credentials into AWS console access.
 
     [leapp](https://github.com/Noovolari/leapp): Leapp is the DevTool to access your cloud.
+
+    [PACU](https://github.com/RhinoSecurityLabs/pacu): PACU has a function called console/open_console that will either display a URL to provide you with console access or will launch the system default browser with the link embedded.
 
 </div>
 
@@ -29,7 +31,7 @@ When performing an AWS assessment you will likely encounter IAM credentials. The
 While this can be useful, sometimes you just can't beat clicking around the console. If you have IAM credentials, there is a way that you can spawn an AWS Console session using a tool such as [aws-vault](https://github.com/99designs/aws-vault). This can make certain actions much easier rather than trying to remember the specific flag name for the AWS CLI.
 
 !!! Note
-    If you are using temporary IAM credentials (ASIA...), for example, from an EC2 instance, you do not need to have any special IAM permissions to do this. If you are using long-term credentials (AKIA...), you need to have either [sts:GetFederationToken](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sts/get-federation-token.html) or [sts:AssumeRole](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sts/assume-role.html) permissions. This is to generate the temporary credentials you will need.
+    If you are using temporary IAM credentials (ASIA...), for example, from an EC2 instance, you do not need to have any special IAM permissions to do this. If you are using long-term credentials (AKIA...), you need to have either [sts:GetFederationToken](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sts/get-federation-token.html) or [sts:AssumeRole](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sts/assume-role.html) permissions. This is to generate the temporary credentials you will need. PACU will automatically make the calls for you such that an ASIA key can be used with their tool without extra steps.
 
 !!! Tip
     If you are attempting to avoid detection, this technique is **not** recommended. Aside from the suspicious `ConsoleLogin` CloudTrail log, and the odd user-agent (Ex: Why is the IAM role associated with the CI/CD server using a Firefox user-agent string?), you will also generate a ton of CloudTrail logs.
@@ -59,4 +61,4 @@ aws-vault login
 !!! Tip
     If you'd like to generate a link without it automatically opening a new tab in your browser you can use the `-s` flag and it will be printed to stdout.
 
-To learn more about custom identity broker access to the AWS Console please see the [official documentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html).
+To learn more about custom identity broker access to the AWS Console please see the [official documentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html).