Re: Taking over root on legacy AWS account

[Bastian Blank <waldi@debian.org>]

Hi Ross

Sorry, I did not respond earlier.

On Tue, Aug 23, 2022 at 10:55:27PM -0700, Ross Vandegrift wrote:
> On Fri, Aug 12, 2022 at 05:37:33PM +0100, Marcin Kulisz wrote:
> > My take on the latter would be that one of the delegates if we'd have a chair
> > would be holding MFA to this account and this would be passed along this line to
> > the next one and it should be an obligation of the chair to do it be.
> > I would nominate Ross as the person usually charring our meetings.
> > Any other ideas or suggestions how to do it?
> Bastian suggested storing it in the password repo [1].  I like that since it
> supports providing access to multiple people via their gpg keys.  I don't quite
> understand how to use pwstore, but the idea seems simple enough.

The main problem with that is for now: we don't have control over the
phone number associated with our accounts.  This means we can't recover
from broken MFA without help of the support.

As I said in the last meeting, I don't know a useful way to rectify
that missing access to a shared phone number.

Because none of the new accounts have MFA enabled, maybe it is okay to
just transfer the account without it as well.

Regards,
Bastian

-- 
I object to intellect without discipline;  I object to power without
constructive purpose.
		-- Spock, "The Squire of Gothos", stardate 2124.5