Assume a role with MFA when an EC2 instance starts and runs a container with credentials | by Teri Radichel | Cloud Security | October 2023


ACM.343 Allow users to start containers with roles that require MFA to assume use of their own credentials

Part of my series on Automation of cybersecurity measures. Batch job security. I AM. Container security. Deploy a static website. THE Coded.

Free content on Cybersecurity Jobs | Register at Broadcast list

I covered how to take on short-term credentials for a role at MFA and pass those credentials to a container, along with the risks, caveats, and why I’m doing it.

So now I have a script to take in the credentials and pass them to a container. What I want to do now is run this script when starting an EC2 instance.

The point is that the EC2 instance must be able to assume the role with MFA, so it needs an MFA token. Credentials that work with an MFA token are assigned to a user. We don’t want to hardcode these credentials into the Amazon Machine Image (AMI) MFA.

We want to limit access to the identifiers and token to the shortest possible window. Since we’re talking about MFA here, ideally the credentials and token come from two different sources. if both are on the same machine, an attacker who accesses only one device can access them.

For example, if the credentials are on a developer workstation and the developer enters the token on the developer workstation, the attacker who introduces malware to the machine can obtain both the credentials and the token (via a keylogger, as was the case in LastPass). infringe.)

How can we limit our risks while requiring MFA? I can think of a few options, but for now the simplest approach I’ll start with works like this:

  • The EC2 instance is started with a role that has access to obtain AWS Secret Manager credentials.
  • The developer starts the EC2 instance from a machine that does not have access to this secret on AWS Secrets Manager and passes the token on startup.
Leave a comment