operations icon indicating copy to clipboard operation
operations copied to clipboard
verified publisher icon openstreetmap

Ensure all AWS root accounts have MFA enabled

Open Firefishy opened this issue 1 year ago • 3 comments

AWS requires root accounts to have MFA from May 16, 2024.

Ensure that all our accounts have MFA enabled on the root account and that the MFA secret is saved in our secrets store.

Firefishy avatar May 08 '24 12:05 Firefishy

https://aws.amazon.com/blogs/security/security-by-design-aws-to-enhance-mfa-requirements-in-2024/

Firefishy avatar May 08 '24 12:05 Firefishy

Documentation on how to enable: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable-overview.html

Firefishy avatar May 08 '24 12:05 Firefishy

All servers face cold side correctly.

Our switches currently face rear of rack and have incorrect airflow (AFO, instead of AFI). Switching to AFI is ~£200 per switch.

Firefishy avatar May 08 '24 13:05 Firefishy

Only the organisation owner account (osm-main) has an active root account and it now has MFA enabled (See ops pgp store for access). The sub-accounts now also have root credentials removed, password recover disabled and these sub-accounts require privileged operations to be performed via the organisation owner. The master account can also be used to re-allow password recovery of the root on the sub-accounts via IAM root management.

Firefishy avatar Aug 28 '25 12:08 Firefishy

Some detailed on a centralised root which I have setup: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-enable-root-access.html

Firefishy avatar Aug 28 '25 12:08 Firefishy