Isnt it a bad idea from Security perspective to store the MFA-QR-Code in an S3 bucket which is accessable from lower privilegded users ?
When having another IAM User compromised, an attacker just need to phish the password from the Root user and create MFA Codes using the QR Code, or did I missunderstand that ?
Thx in advance
Yes, that pretty much defeats the purpose.
Keys, as this MFA TOTP secret, should always be stored in a cryptographically secure system; one resistant to tampering and which is fully audited for access and modification. While S3 may be configurable as a relatively secure key store, there are a variety of out-of-band secret management systems (hardware and software) available alternately.
I believe it was just a suggestion since some folks think that the QR code can only be used once. I’m also guessing that the instructor didn’t want to get into the security pros and cons of where these QR codes should be stored. This topic could easily turn into a heated debate. 😉 S3 might be a good choice if the QR codes are stored in a separate AWS account but the main takeaway is to keep a copy of your QR code for your root account so you don’t lock yourself out. Derek alluded to a number of other options–for example, printing your QR code(s) and keeping in a safe, storing the images in a password vault, using an OTP manager that let’s you take backups of your TOTP secrets such as OTP Auth, etc. Anyway, S3 would not be my first choice but everyone’s threat model is different.
AFAIK Authy app solves the issues with backup.
Failure to do that try to secure any recovery keys or the photo as a secure note on Lastpass (or similar), ensure password re-prompt is enabled and use 2FA hardware token (at least 2 in case you lose 1).
agree really bad idea, if that bucket get compromised. they can have access to the bucket.
Storing QR Code recovery keys in a vault like lastpass r 1 pass is better
I would not store it in an S3 bucket non-admins have any access to at all. What I do is store it in another AWS account, and for a couple of highly sensitive accounts I put them on (gulp) Azure
That’s what I was thinking.. Think I would rather not do that.