undefined | Better HN

0 pointsjorvi5mo ago0 comments

You can generate temporary AWS keys for privileged users: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credenti...

Of course, as always, PEBKAC. You will have to strictly follow protocol, and not every team is willing to jump through annoying hoops every day.

0 comments

akerl_5mo ago

Can you actually generate temporary AWS STS credentials via FIDO MFA?

Again, last I looked, FIDO MFA credentials cannot be used for API calls, which you'd need to make for STS credential generation.

jorviOP5mo ago

You don't put the temporary credentials behind FIDO because they're temporary anyway. You put FIDO on the main account that has the privilege to generate the temporary credentials.

So in the off chance that you get a phishing mail, you generate temporary credentials to take whatever actions it wants, attempt to log in with those credentials, get phished, but they only have access to API for 900s (or whatever you put as the timeout, 900s is just the minimum).

900s won't stop them from running amok, but it caps the amok at 900s.

akerl_5mo ago

You aren't grokking what I'm saying. AWS does not allow FIDO2 as an MFA method for API calls.

So if your MFA device for your main account is a FIDO2 device, you either:

1. Don't require MFA to generate temporary credentials. Congrats, your MFA is now basically theater.

2. Do require MFA to generate temporary credentials. Congrats, the only way to generate temporary credentials is to instead use a non-FIDO MFA device on the main account.

Nobody is getting a phishing email, going to the terminal, generating STS credentials, and then feeding those into the phish. The phish is punting them to a fake AWS webpage. Temporary credentials are a mitigation for session token theft, not for phishing.

1 more reply

j / k navigate · click thread line to collapse

0 comments

akerl_5mo ago

Can you actually generate temporary AWS STS credentials via FIDO MFA?

Again, last I looked, FIDO MFA credentials cannot be used for API calls, which you'd need to make for STS credential generation.

jorviOP5mo ago

You don't put the temporary credentials behind FIDO because they're temporary anyway. You put FIDO on the main account that has the privilege to generate the temporary credentials.

900s won't stop them from running amok, but it caps the amok at 900s.

akerl_5mo ago

You aren't grokking what I'm saying. AWS does not allow FIDO2 as an MFA method for API calls.

So if your MFA device for your main account is a FIDO2 device, you either:

1. Don't require MFA to generate temporary credentials. Congrats, your MFA is now basically theater.

2. Do require MFA to generate temporary credentials. Congrats, the only way to generate temporary credentials is to instead use a non-FIDO MFA device on the main account.

1 more reply

j / k navigate · click thread line to collapse