Re: Taking over root on legacy AWS account

[Ross Vandegrift <rvandegrift@debian.org>]

On Wed, Aug 24, 2022 at 09:51:40PM +0200, Bastian Blank wrote:
> On Tue, Aug 23, 2022 at 10:55:27PM -0700, Ross Vandegrift wrote:
> > On Fri, Aug 12, 2022 at 05:37:33PM +0100, Marcin Kulisz wrote:
> > > My take on the latter would be that one of the delegates if we'd have a chair
> > > would be holding MFA to this account and this would be passed along this line to
> > > the next one and it should be an obligation of the chair to do it be.
> > > I would nominate Ross as the person usually charring our meetings.
> > > Any other ideas or suggestions how to do it?
> > Bastian suggested storing it in the password repo [1].  I like that since it
> > supports providing access to multiple people via their gpg keys.  I don't quite
> > understand how to use pwstore, but the idea seems simple enough.
> 
> The main problem with that is for now: we don't have control over the
> phone number associated with our accounts.  This means we can't recover
> from broken MFA without help of the support.
> 
> As I said in the last meeting, I don't know a useful way to rectify
> that missing access to a shared phone number.

Right - sorry, I was assuming that 1) we probably won't be able to solve the
phone number issue and 2) still wanted MFA on the root accounts.

> Because none of the new accounts have MFA enabled, maybe it is okay to
> just transfer the account without it as well.

Yea, this might be the best option to avoid the lockout issue.

Ross