Creating initial credentials for an administrator role for automation with MFA | by Teri Radichel | Cloud Security | November 2023


ACM.376 Leveraging “adminroot” credentials to deploy an organization’s initial resources

Part of my series on Automation of cybersecurity measures. AWS Organizations. I AM. Deploy a static website. THE Coded.

Free content on Cybersecurity Jobs | Register at Broadcast list

In the last article, I deployed an organization with CloudFormation for a new or existing organization so that we can use it in our policies.

In this article I want to review using a container to deploy AWS resources using the root administrator user we have created and created automation credentials.

Consider our policies in the post in which I assigned permissions directly to the rootadmin user. If there was some sort of emergency, the root administrator the user can log in and perform various actions in the AWS console. Requiring MFA in console would work.

What the user cannot do is leverage the developer credentials with an AWS CLI profile using these policies. For what?

Remind that MFA required for developer credentials without boolifexists not working. And using boolifexists is a wrong approach if you’re trying to restrict automation actions with MFA.

For what? Because when you use developer credentials, no indication of MFA exists anyway. It’s just not there. The boolifexists’ flawed logic is that if there is no MFA flag, we will just let the action happen. What?

To enforce MFA with developer credentials, you enforce MFA to assume a role. No one can assume the role without MFA and therefore cannot use the permissions without MFA.

Note: I’m only talking about the scenario where an attacker steals the developer’s credentials. If the attacker manages to control an active session, MFA does not matter for the duration of the session. I…

Leave a comment