Protecting AWS api keys the right way (part one).

2017-10-27

Every now and then we ear about leaked AWS API keys causing mayhem in companies infrastructures and applications. Sometimes, if you are lucky you could get on with a substantial bill from AWS because someone has spun endless x1.32xlarge EC2 instances in your account in order to mine cryptocurrency. However, the worst scenario would be the case of someone getting hold of your AWS API keys locking yourself out the account threatening to delete all resources as EC2,RDS,EBS and asking a ransom to reinstate the access into it.

As part of the mitigation, lot of people enable AWS Multi-Factor Authentication (MFA) to protect the login of their IAM users. This means that when a user signs in to an AWS website, they will be prompted for their user name and password (the first factor—what they know), as well as for an authentication code from their AWS MFA device (the second factor). If you go to https://aws.amazon.com/iam/details/mfa/ and scroll through you can see that there’s no mention about API keys because they are a different object from the login profile therefore they need a different layer of protection.

Whenever you add MFA to a user you are protecting with a the second factor only its login to the AWS console, but not its API keys!!! Take a look to the picture below. Enabling the MFA device only, is not enough!

Remediation

  • Solution nr.1

Using Terraform we will create a group named i.e. “ec2Admins” which grants full control of the EC2 service to the users assigned to the group itself and prevents API calls unless those users are authenticated with AWS multi-factor authentication (MFA). If you take a look to the code below you can see the condition that enforce MFA authentication before the user is allowed to perform an action on the service.

"Condition": {
        "Bool": {
          "aws:MultiFactorAuthPresent": "true"
        }

Once you create the group with MFA policy make sure to move all relevant IAM users into it

Terraform code mfa:

  • Solution nr.2

This solution adds the ip address lockdown as an additional layer of security along with AWS multi-factor authentication (MFA). In the IAM policy is possible to specify IPV4 ip addresses as origin of the API request, hence to perform API action you must be connected from the ip addresses listed in the policy along being authenticated with MFA.

"Condition": {
        "Bool": {
          "aws:MultiFactorAuthPresent": "true"
        },
        "IpAddress": {
          "aws:SourceIp": [
            "my.office1.ip.address/32",
            "my.office2.ip.address/32",
            "my.office3.ip.address/32",
          ]
        }
      }

Once you create the group with MFA policy and ip lockdown make sure to move all relevant IAM users into it

Terraform code mfa & ip lockdown:

I hope you have enjoyed this instalment, I will follow up with another about how to keep safe AWS credentials on a laptop.

Stay safe!