AWS users, whether they are devops in a startup or system administrators tasked with migrating an enterprise service into the cloud, interact on a daily basis with the AWS APIs, using either the web console or tools such as the AWS CLI to manage their infrastructure. When working with the latter, authentication is done using long-lived access keys that are often stored in plaintext files, shared between developers, and sometimes publicly exposed. This creates a significant security risk as possession of such credentials provides unconditional and permanent access to the AWS API, which may yield catastrophic events in case of credentials compromise. This talk will detail how MFA may be consistently required for all users, regardless of the authentication method. Furthermore, this talk will introduce several open- source tools, including the release of one new tool, that may be used to allow painless work when MFA-protected API access is enforced in an AWS account.
Loïc Simon is a Principal Security Engineer at NCC Group US SecurityConsulting, a full-service security consulting company offering world classpenetration testing, security systems development, security education andsoftware design verification. For several years, Loïc has been specializingin AWS security, performing in-depth security reviews as well as architectureand design reviews for a variety of cloud-based systems. Loïc helped securehighly complex deployments involving thousands of instances and millions ofobjects by designing and implementing strict access controls requirementswithout impacting user's productivity. Loïc is the author of a variety ofopen-source tools developed to help assessing and hardening the security ofAWS environments.