| So it depends how and what gets hacked. The type of company posting about getting hacked like this is probably using the root / admin accounts to do most things. Their lowest hanging fruit and biggest wins would probably MFA, then SSO. However, IAM is generally powerful enough to allow you to configure what an account can do. So best practice, you also want to think about how you're going to lose credentials. - Sharing passwords across services
- leak of your .dotfiles, either by having your laptop pwned, or uploading your .dotfiles to a public repo as a backup or something.
- Accidently pasting into the wrong window or something. SSO & MFA defeats all of these with exception that your sts token will be signed for 1h in those .dotfiles when you auth yourself. I'm not sure what happens if you remove it from the token from the device, but the device itself being compromised would allow someone to piggy back your session. Ergo, you move to least privilege access, and then if your laptop, server, or ci/cd runner gets hijacked, then it's only able to do whatever it was allowed to do in the first place. The last part is you need to detect the misuse. When you have least privileged access, and a pretty locked down account, the hope is when a session is hijacked, the attacker will attempt to use the credentials and get an access denied. This should allow you to detect and remediate the reason for leak. Obviously this turns your cloud install into a lot more work, and you still also need to look at maintaining and patching the actual services so they're not compromised in the first place. |