[codegeek]

"The root account credentials, essentially the highest level of administrative control, are stored in a shared enterprise password manager in a shared vault to which only three individuals had access: two current Ruby Central staff members and one former maintainer, André Arko"

I am wondering. Did they at least have MFA enabled on the root login or not ?

[terracatta]

Yes because they state under the section "Root Cause Analysis"

> Ruby Central failed to rotate the AWS root account credentials (password and MFA) after the departure of personnel with access to the shared vault.

[sersi]

If both password and MFA are stored in the same shared vault then MFA's purpose is compromised. Anyone getting access to that shared vault has the full keys to the kingdom the same as if MFA wasn't enabled.

Also in this day and age, there's no reason to have the root account creds in a shared vault, no-one should ever need to access the root account, everyone should have IAM accounts with only the necessary permissions.

[blibble]

> If both password and MFA are stored in the same shared vault then MFA's purpose is compromised. Anyone getting access to that shared vault has the full keys to the kingdom the same as if MFA wasn't enabled.

absolutely

> no-one should ever need to access the root account

someone has to be able to access it (rarely)

if you're a micro-org having three people with the ability to get it doesn't seem that bad

everything else they did is however terrible practice

[mikey_p]

So they failed to properly protect their credentials?

This sure doesn't reflect all this supposed professionalism and improvements RC was supposed to make.

Years ago, I decided with all the DHH drama, that using Rails was too much of a liability and this shit just makes the whole Ruby ecosystem a liability to anything build in that ecosystem.