Skip to main content

Decide on MFA Solution for AWS Root Accounts

When setting up MFA for AWS root accounts, you need to decide on the most suitable solution to ensure security and manageability. The two most common options are TOTP (Time-Based One-Time Password) and U2F (Universal 2nd Factor). Cloud Posse recommends using 1Password for Teams or 1Password for Business to securely share TOTP tokens among stakeholders, ensuring both accessibility and protection.

We need an MFA solution for protecting the master AWS accounts. The two most common options are TOTP and U2F (universal authenticator devices).

tip

Cloud Posse recommends 1Password for Teams or 1Password for Business

TOTP tokens can be stored in a shared authenticator app like 1Password. This allows sharing of the secret amongst designated stakeholders. Additionally, using MFA with 1Password (like Duo) protects access to 1Password.

For this reason, Cloud Posse recommends 1Password for Teams or 1Password for Business.

Yubikey (U2F)

This is by far the most secure option but comes with a significant liability, if you do not add at least two or more physical devices. This physical device can be lost, broken, or damaged. Distributed team environments where the key can not be easily passed around adds to the difficulty of maintaining continuity when team members are out-of-the-office. Getting locked out of an AWS root account is not fun. For these reasons, we do not recommend it from a practical security perspective.

Slack Bots

One option is to hook up a Slack bot to a restricted channel. Using ChatOps, admins can request a token. The nice part about this is there's a clear audit trail of who is logging in. Also, we recommend a buddy system where each time a code is requested, a "Buddy" confirms this request to ensure it was merited. For this to be more secure, MFA must be enabled on Slack.

Authy

danger

Does not support shared TOTP credentials

Authy is the original cloud-based authenticator solution. The downside is it doesn't support shared TOTP secrets, so a shared login must instead be used. This is not recommended.

LastPass

danger

Does not support shared TOTP credentials

LastPass is not an option. It does not support shared TOTP secrets. Do not confuse this with the ability to authenticate with LastPass using TOTP/Authenticator apps. That's not what we need here.