undefined | Better HN

0 pointsroblabla7mo ago0 comments

You can also use phishing-resistant login/2FA like passkeys/FIDO keys, where it is available (and I'm pretty sure amazon supports it), to minimize the risk of accidentally login into a phishing website while under pressure.

0 comments

akerl_7mo ago

If my memory is correct, AWS supports FIDO for web login but not for the API, so you either have to restrict access to FIDO and then use the web UI for everything done as that user, or have a separate non-FIDO MFA device (without FIDO's phishing resistance) for terminal/API interactions.

jorvi7mo ago

You can generate temporary AWS keys for privileged users: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credenti...

Of course, as always, PEBKAC. You will have to strictly follow protocol, and not every team is willing to jump through annoying hoops every day.

akerl_7mo ago

Can you actually generate temporary AWS STS credentials via FIDO MFA?

Again, last I looked, FIDO MFA credentials cannot be used for API calls, which you'd need to make for STS credential generation.

jorvi7mo ago

You don't put the temporary credentials behind FIDO because they're temporary anyway. You put FIDO on the main account that has the privilege to generate the temporary credentials.

So in the off chance that you get a phishing mail, you generate temporary credentials to take whatever actions it wants, attempt to log in with those credentials, get phished, but they only have access to API for 900s (or whatever you put as the timeout, 900s is just the minimum).

900s won't stop them from running amok, but it caps the amok at 900s.

1 more reply

SoftTalker7mo ago

They probably support it but how many accounts have not configured it? I'd bet it's a lot.

j / k navigate · click thread line to collapse

0 comments

akerl_7mo ago

jorvi7mo ago

You can generate temporary AWS keys for privileged users: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credenti...

Of course, as always, PEBKAC. You will have to strictly follow protocol, and not every team is willing to jump through annoying hoops every day.

akerl_7mo ago

Can you actually generate temporary AWS STS credentials via FIDO MFA?

Again, last I looked, FIDO MFA credentials cannot be used for API calls, which you'd need to make for STS credential generation.

jorvi7mo ago

You don't put the temporary credentials behind FIDO because they're temporary anyway. You put FIDO on the main account that has the privilege to generate the temporary credentials.

900s won't stop them from running amok, but it caps the amok at 900s.

1 more reply

SoftTalker7mo ago

They probably support it but how many accounts have not configured it? I'd bet it's a lot.

j / k navigate · click thread line to collapse