|
|
|
|
|
|
by imduffy15
1360 days ago
|
|
|
Not a solution for shared multi factor auth but maybe some ideas… - the root account should not be used. Disable it from being able to do anything with an SCP - new accounts created with aws organisations by default have a random password and no mfa. Access is granted by going through the password reset process. Switch to this process for existing accounts, randomise all the passwords, grant break glass access via password resetting (ensure your contact details are valid). The password reset typically requires access to the email account (make it accessible via SSO) and potentially a phone call, ensure a virtual phone number is used and root holders can point it at their phone. - use the likes of azure ad, keycloak or okta to store your organisations identities. Require MFA on them via yubikey. Enable access to multiple aws accounts via aws sso. - for ssh access switch to using aws ssm. |
|
|