Re: Taking over root on legacy AWS account
On Wed, Aug 24, 2022 at 09:51:40PM +0200, Bastian Blank wrote:
> On Tue, Aug 23, 2022 at 10:55:27PM -0700, Ross Vandegrift wrote:
> > On Fri, Aug 12, 2022 at 05:37:33PM +0100, Marcin Kulisz wrote:
> > > My take on the latter would be that one of the delegates if we'd have a chair
> > > would be holding MFA to this account and this would be passed along this line to
> > > the next one and it should be an obligation of the chair to do it be.
> > > I would nominate Ross as the person usually charring our meetings.
> > > Any other ideas or suggestions how to do it?
> > Bastian suggested storing it in the password repo [1]. I like that since it
> > supports providing access to multiple people via their gpg keys. I don't quite
> > understand how to use pwstore, but the idea seems simple enough.
>
> The main problem with that is for now: we don't have control over the
> phone number associated with our accounts. This means we can't recover
> from broken MFA without help of the support.
>
> As I said in the last meeting, I don't know a useful way to rectify
> that missing access to a shared phone number.
Right - sorry, I was assuming that 1) we probably won't be able to solve the
phone number issue and 2) still wanted MFA on the root accounts.
> Because none of the new accounts have MFA enabled, maybe it is okay to
> just transfer the account without it as well.
Yea, this might be the best option to avoid the lockout issue.
Ross
Reply to: