This is an underrated point. Every "best security practices" guide you read has you setup MFA for console access, then create IAM keys with no such protection.
The credentials I'm using with Terraform require MFA in order to call 'AssumeAdmin'. Everyone I've ever shown this configuration has complained about it being overkill and tried to argue Terraform should just have IAM keys sitting on disk, one desktop compromise away from taking everything. And since it's used to provision basically everything it's a highly privileged account.
The credentials I'm using with Terraform require MFA in order to call 'AssumeAdmin'. Everyone I've ever shown this configuration has complained about it being overkill and tried to argue Terraform should just have IAM keys sitting on disk, one desktop compromise away from taking everything. And since it's used to provision basically everything it's a highly privileged account.