Using Yubikeys and the AWS API without additional infrastructure

Whenever we consult clients, one of the first actions we take in order to strengthen the security stance of the AWS installation is to introduce second factors into the authentication scheme.

Whenever we consult clients, one of the first actions we take in order to strengthen the security stance of the AWS installation is to introduce second factors into the authentication scheme. The AWS console has been supporting TOTP based second factors for a long time and recently introduced U2F as well. However, the usage of second factors when interacting with AWS APIs remains limited and inconvenient.

To fix this, we’ve developed awsu, a simple command line tool, which we streamlined and open-sourced a while ago. This tool makes it straightforward to implement the best-practice strategies from AWS for handling least privilege access. No additional infrastructure (e.g. using Federation) is required in order to get started.

Using awsu makes it easy to use TOTP tokens with differentiated requirements for freshness (e.g. depending on the power of the policies associated with a given role) and assume specific roles for specific tasks without changes to the involved tooling.

awsu implements this by outsourcing the TOTP secret to a Yubikey, using the same configuration mechanisms as every other AWS SDK client (shared profiles), and “just” invokes any given tool with the environment variables, which corresponds to the short term credentials of, e.g. an assumed role.

This approach allows for an even more seamless integration, e.g. by aliasing tools such as the AWS CLI to awsu.

Give it a try and tell us what you think! Did we mention that we’ve documented an in-depth consideration of multifactor strategies and their corresponding infrastructure configurations on AWS?

Credits for cover image go to: yubico.com.