Y
Hacker News
new
|
ask
|
show
|
jobs
by
jes5199
4445 days ago
I have 2-factor auth enabled on my AWS login - but am I right in thinking that if someone has my API keys that they don't need the 2nd factor?
1 comments
prattbhatt
4445 days ago
Yes, someone with your access and secret keys can spin up instances, create buckets, and do everything else that the stolen keys are authorized for.
link
ceejayoz
4445 days ago
Which is why most things should be done with IAM keys specifically locked down to minimal privileges.
link
jes5199
4445 days ago
Apparently I have access keys that predate the release of IAM ! Fortunately there's a convenient "disable" link on security keys page.
link
prattbhatt
4445 days ago
Agreed
link