I just spoke with a friend who works at a major te...
# randoms
Sam Hulick
01/10/2022, 6:12 PMI just spoke with a friend who works at a major telecom company and she said they only give them temporary AWS credentials (that start with ASIA*) AND they change the credentials every 30 mins. Is this unusual? How on earth are you supposed to work with a temporary STS key?
t
thdxr
01/10/2022, 6:12 PMI only use temporary keys but not sure if that's the same thing
s
Sam Hulick
01/10/2022, 6:13 PMDoes it start with AKIA or ASIA?
t
thdxr
01/10/2022, 6:13 PMno but it only lasts 1 hour
s
Sam Hulick
01/10/2022, 6:13 PMIt's not an AWS access key?
Sam Hulick
01/10/2022, 6:14 PMDoes it interrupt you every hour? I have no clue how it works
d
Dennis Dang
01/10/2022, 8:49 PMThat sounds terrible and is terrible. We generate STS keys that last 24 hours, if you generate them with your AWS credentials.
But if you generate via email/pw, a new teammate found it resets every hour. He thought this was the norm for a whole month 🥲. Terrible experience though and a huge deep focus interruption.
t
thdxr
01/10/2022, 8:50 PMI use AWS SSO which I login to once a day (expires every 12 hours)
That allows continuous regeneration of STS tokens for 12 hours (they're valid for 1 hour)
thdxr
01/10/2022, 8:50 PMThis is the setup I'd recommend for everyone
d
Dennis Dang
01/10/2022, 9:33 PMnice, that's been recommended once before, we'll have to try.
s
Sam Hulick
01/10/2022, 9:48 PM@thdxr I have NO clue about AWS SSO at all. I have a root account that’s locked down with MFA (I don’t use that acct), and an IAM user that I personally use to sign into the console & do dev stuff. is this not ideal?
t
thdxr
01/10/2022, 9:53 PMIf I put my "AWS nerd" hat on - yes it's not ideal. IAM no longer is recommended for humans because they issue long lived credentials and from an organizational perspective it's a bit challenging to control access + define policies centrally.
AWS SSO is actually a really good service (rare for AWS lol). You can use it standalone or link it with your SSO provide (I use google workspaces) so people can sign in with the same credentials they use to sign in for everything else. Then they can generate short lived credentials (if they leak they expire within an hour anyway) that are used to assume roles in your various AWS accounts.
AWS SSO does a good job hiding this complexity and it feels pretty seamless in most places. One rough area is not all of aws-sdk knows how to refresh tokens from AWS sso yet so there's a small additionally helper you'll need but other than that I love it
thdxr
01/10/2022, 9:54 PMI just have to make sure the google workspaces account is locked down, has 2fa, required password rotate, etc and everything else is downstream
s
Sam Hulick
01/10/2022, 9:56 PMwow, sounds pretty good! so with SSO, I won’t need an IAM user?
Sam Hulick
01/10/2022, 9:56 PMSSO will log me into the console
t
thdxr
01/10/2022, 10:01 PMThat's right - you can define roles in AWS SSO + who has access to assume them. It'll take care of mirroring that role in each aws account and allowing you to assume it
c
Carlos Daniel
01/10/2022, 11:36 PMI’ve used SSO too, it really makes sense improving the security with temporary keys
c
Chad (cysense)
01/11/2022, 4:38 AM+1 for using SSO. Definitely the recommended approach from a security/best practices/usability perspective
s
Sam Hulick
01/11/2022, 5:14 AMcool! I’ll look into it tomorrow. I found on AWS blog post on hooking up SSO with Google Workspace
Sam Hulick
01/19/2022, 4:16 PMI just set up AWS SSO w/ Google. man, so much easier now! no need to plug in my Yubikey every day to log in 😄
c
Carlos Daniel
01/19/2022, 4:31 PMoh really? i will search that for sure
s
Sam Hulick
01/19/2022, 4:31 PMc
Carlos Daniel
01/19/2022, 4:31 PMcan you send the blog post you mentioned on the other day?
s
Sam Hulick
01/19/2022, 4:31 PMsuper easy
c
Carlos Daniel
01/19/2022, 4:31 PMah thanks
2 Views