An SCP with multiple conditions to apply MFA to clone a GitHub repository (in theory) | by Teri Radichel | Cloud Security | October 2023


ACM.325 How are multiple conditions evaluated in a service control policy – ​​and, or – does the MFA requirement even work on the Lambda invocation?

Part of my series on Automation of cybersecurity measures. Lambda. Internet Security. GitHub Security. Container security. Deploy a static website. THE Coded.

Free content on Cybersecurity Jobs | Register at Broadcast list

In the last article, I changed my git authentication method so that I don’t send credentials in a URL when cloning a GitHub repository.

In this article, I want to apply MFA to clone a GitHub repository. But you can’t do that! RIGHT? Well, not through GitHub as of this writing. But we can require MFA when the person invokes this Lambda function and only the Lambda function, or a secrets administrator using MFA on the AWS console, can leverage or access the GitHub personal access token.

Of course, you also need to secure the GitHub side by only allowing people in your organization to sign in with MFA to access GitHub and use those privileges to generate a new access token. I’ve written about GitHub security in other articles.

“Requires an MFA?” ” you ask. But a Lambda execution role cannot provide MFA. That’s right. But one thing we can do is require MFA to execute a Lambda function.

The method that I will show you in this article has certain limitations. It always provides access to an active session. Actually, as far as I know, it doesn’t work properly on the command line.

In the next article, I’ll show you how to apply MFA every time you call a Lambda function (hopefully.)

I’m finally getting to what I hinted at a long time ago. A short batch job can run in Lambda. A long batch job can run in AWS Batch. Or…

Leave a comment