Securing Local AWS Credentials

Ryan McGeehan
Nov 23, 2016 · 6 min read

Overview

Create User

Create the Role

Allow the User to Assume the Role

{
“Version”: “2012–10–17”,
“Statement”: [
{
“Effect”: “Allow”,
“Action”: [
“sts:AssumeRole”
],
“Resource”: [
“arn:aws:iam::[YOUR ACCOUNT ID]:role/admin”
],
“Condition”: { “Bool”: { “aws:MultiFactorAuthPresent”: true } }
}
]
}

Configure the CLI

[default]
aws_access_key_id = ACCESSKEY
aws_secret_access_key = SECRETKEY
[profile admin]
role_arn = arn:aws:iam::[YOURACCOUNTID]:role/admin
source_profile = default
mfa_serial = arn:aws:iam::[YOURACCOUNTID]]:mfa/[NAME OF USER]

Test It

Benefits

Downsides

Incident Response

Conclusion


@magoo

Starting Up Security

Guides for the growing security team

Thanks to Rob Witoff and William Bengtson.

Ryan McGeehan

Written by

Writing about risk, security, and startups.

Starting Up Security

Guides for the growing security team