|
|
|
|
|
|
by vegardx
1344 days ago
|
|
|
I imagine they just log in to the console and activate/deactivate them. But that seems like more steps than necessary. Ideally you'd just use aws sts. In short you request a temporary set of access keys, and authenticate the request with both your access keys and mfa as part of the request. This returns a set of short-lived credentials that you then use. By using a policy attached to the user/role you make sure that the only thing they can request is a set of temporary access keys, with all kinds of conditionals, like ttl, source ip and mfa. You can quite easily monitor cloudtrail for malicious activity and use cloudwatch to notify you when someone uses your credentials from, say, an unknown IP, outside of working hours, etc. |
|
|