{"id":12124,"date":"2015-08-28T10:26:43","date_gmt":"2015-08-28T14:26:43","guid":{"rendered":"http:\/\/mjtsai.com\/blog\/?p=12124"},"modified":"2015-08-28T10:26:43","modified_gmt":"2015-08-28T14:26:43","slug":"aws-privilege-separation","status":"publish","type":"post","link":"https:\/\/mjtsai.com\/blog\/2015\/08\/28\/aws-privilege-separation\/","title":{"rendered":"AWS Privilege Separation"},"content":{"rendered":"

Michael Wittig<\/a> (comments<\/a>):<\/p>\n

    \n

  1. You have AWS access credentials for your IAM user in the bastion account on your machine (usually in ~\/.aws\/ or in your environment variables). You make a call to the AWS API to get temporary credentials by providing a MFA token. If the MFA token is valid, you’ve created a temporary session for your IAM user in the bastion account.<\/p><\/li>\n

  2. You receive temporary credentials to authenticate as your IAM user.<\/p><\/li>\n

  3. With the temporary credentials, you can assume a role in another account (this wasn’t possible before, because assuming a role is only allowed for this user if the user is authenticated with MFA). To assume a role in another account, the role must explicitly be allowed to be used with your account!<\/strong> The maximum permissions a role should have is PowerUserAccess<\/code>. Don’t allow the role to interact with IAM!<\/p><\/li>\n

  4. You receive temporary credentials and can begin working with your AWS account.<\/p><\/li>\n<\/ol>\n<\/blockquote>","protected":false},"excerpt":{"rendered":"

    Michael Wittig (comments): You have AWS access credentials for your IAM user in the bastion account on your machine (usually in ~\/.aws\/ or in your environment variables). You make a call to the AWS API to get temporary credentials by providing a MFA token. If the MFA token is valid, you’ve created a temporary session […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"apple_news_api_created_at":"","apple_news_api_id":"","apple_news_api_modified_at":"","apple_news_api_revision":"","apple_news_api_share_url":"","apple_news_coverimage":0,"apple_news_coverimage_caption":"","apple_news_is_hidden":false,"apple_news_is_paid":false,"apple_news_is_preview":false,"apple_news_is_sponsored":false,"apple_news_maturity_rating":"","apple_news_metadata":"\"\"","apple_news_pullquote":"","apple_news_pullquote_position":"","apple_news_slug":"","apple_news_sections":"\"\"","apple_news_suppress_video_url":false,"apple_news_use_image_component":false,"footnotes":""},"categories":[2],"tags":[672,48,50],"class_list":["post-12124","post","type-post","status-publish","format-standard","hentry","category-technology","tag-amazon-web-services","tag-security","tag-webapi"],"apple_news_notices":[],"_links":{"self":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/12124","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/comments?post=12124"}],"version-history":[{"count":1,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/12124\/revisions"}],"predecessor-version":[{"id":12125,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/12124\/revisions\/12125"}],"wp:attachment":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/media?parent=12124"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/categories?post=12124"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/tags?post=12124"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}