Most AWS users are privileged users and for that reason, security must be taken into consideration for those users. Key pairs (Access and Secret keys) are a good first level protection when it comes to authentication against AWS resources. However, keys are static and even if rotated, may get compromised (e.g. https://securosis.com/blog/my-500-cloud-security-screwup). The best next step for security is to use another factor for authentication, preferrably something temporary, like one-time passwords. AWS supports MFA and AWS users can leverage their MFA Device to elevate authentication security. It's however a tad bit tedious to deal with MFA with AWS CLI. To smooth it out and encourage adoption, we developed a script called aws-mfa to take care of 1) creating temporary credentials using one's key pairs and MFA Device id and 2) storing those temporary credentials as a new profile to use it with aws cli.
In a nutshell, here's how to use aws-mfa once all the setup has been done:
aws-mfa myprofile _token-from-mfa-device_
# simply add -mfa to profile specified aove, like so:
aws --profile myprofile-mfa ec2 do-something-that-would-be-denied-otherwise-without-mfagit clone https://github.com/lpezet/aws-mfa.git
cd aws-mfa
sudo ln -s aws-mfa /usr/local/bin/aws-mfa
Before using aws-mfa you'll need to install a few dependencies.
The first being, of course, awscli. The second is jq.
Here's how to go about it using homebrew:
brew install awscli
brew install jq
Once the aws-mfa script has been installed, you must configure your local aws-cli. For this consult aws-cli documentation.
It basically boils down to:
aws configure --profile someprofileYou'll be prompted for information:
AWS Access Key ID [None]: _enter here your access key from AWS Console_
AWS Secret Access Key [None]: _enter here your secret key from AWS Console_
Default region name [None]: us-east-1
Default output format [None]: json
Log in to AWS Console. Look for "IAM" Service, then click on "Users" in the left navigation, then find your user in the list.
Click on your username, then click on the "Security Credentials" tab.
If it's not already setup, setup your MFA Device now.
Once setup, copy the "arn" of your device.
It should be in the form of arn:aws:iam::377201731123:mfa/_username_.
We will now create a new property in your aws cli profile to hold the arn of your MFA Device. Simply run the following command:
aws --profile someprofile configure set mfa_serial _your_mfa_device_arn_Now is the time to test your setup.
aws-mfa someprofile _token-from-your-mfa-device_This will create/reset the profile `someprofile-mfa``. To test it worked properly:
aws --profile someprofile-mfa iam get-userThe response (error or not) should display your current aws username (if your AWS user has been granted permission to query get-user from IAM service).
If you're using AWS CodeCommit, you'll need to configure a few things to make it work with MFA (unless you bypass it in your policies).
Create ~/.gitconfig file with the following:
[user]
name = First Last
email = flast@somewhere.com
[credential]
helper = !aws --profile someprofile-mfa --region us-east-1 codecommit credential-helper $@
UseHttpPath = true
Note the use of the someprofile-mfa above: you should specify the -mfa profile you'll be using when dealing with git.
For Mac users, you may have problems with credentials being saved in KeyChain (defeating the one-time password aspect of MFA, and consequently failing further authentication).
Edit the file /Library//Developer/CommandLineTools/usr/share/git-core/gitconfig (can also be /Applications/Xcode.app/Contents/Developer/usr/share/git-core/gitconfig if XCode installed), and comment out the helper as such:
[credential]
#helper = osxkeychain
This is the global level configuration, so you can still configure helper = osxkeychain at the project/local level for git if need be.