Manage AWS Root Credentials Easily... by forgetting them!
There are many ways of handling your AWS Root credentials, but after many years of going back and forth with various vaults and password management systems, I came across a surprisingly simple pattern: Don’t bother remembering those passwords to begin with! Set up a 2fa token, and just use the password reset workflow.
We’ve all been there… We set up a new AWS account and new we have an MFA token and password to deal with. Do we use a physical security token (single point of failure)? If so where do we store it so that it’s accessible? If you have a 24×7 staffed NOC with a vault, this is a simple solve, but most places don’t have that. Especially in the SMB and startup spaces. So we go to a virtual MFA device. And now only one person has that on their phone (single point of failure again) or we need to share the key out (hacky) or store in in a vault of some kind (at least these are digital).
Well, here is one approach that I’ve actually used several times with surprising success. It has also withstood many audits. Does that mean it’s perfect? No. But it is an effective method, even it it’s a bit out there.
/cdn.vox-cdn.com/uploads/chorus_asset/file/25689729/g_alienromulus_3216_5_3d7ca4d9.jpeg)
