By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Protecting the root user with a security key, Titan Security Key v2

2

Hi there,

I'd like to protect our organisations root account with a security key and purchased a Google Titan Security Key v2. According to the AWS docs, I am using a supported key, browser and OS.*

However, when I try to actually register the key, I am getting to the step when I have to press the button on the key and then get an unspecific error message from AWS. ("Error registering security key") The browser console shows a few messages that indicate a problem in the AWS setup. There is also a failed request to IAM with "com.amazon.coral.service#AccessDeniedException" in the response.

How can I troubleshoot this?

Kind regards, André

  • The key is listed as a compatible key on the FIDO2 web site.
  • DonD
    5 months ago

    The key must be registered as a MFA with microsoft or other browser company dependant upon your browser. In my case, this means I registered my key as MFA method in Microsoft as my browser during my console session was Microsoft edge. I do not know the inner workings of each case but maybe the public key and nonce are not shared from the titan key unless they come from the browser? Maybe this is not your answer but triggers a solution path for others? Best of Luck!

Topics
Security, Identity, & ComplianceAWS Well-Architected FrameworkManagement & Governance
Tags
Security, Identity, & ComplianceAWS Identity and Access ManagementSecurityAWS Account Management
Language
English
Andre
asked 5 months ago642 views
7 Answers
1

Hi André.

To make sure that we're looking at the right service: Is it correct that you try to register an MFA device for the root user of your organization's management account, i.e. in IAM (not IAM Identity Center)?

You should have a CloudTrail event logged for this action, can you please paste it here (redacting potential sensitive content such as account numbers)? In many cases, these events more information than the error you see in the console. The event should be EnableMFADevice and/or ResyncMFADevice for hardware MFA devices.

profile pictureAWS
Michael
answered 5 months ago
  • Andre
    5 months ago

    Thank you for taking the time to answer! Yes, it is the root user of the management account. I have checked CloudTrail and it shows the "AccessDenied":

    {
    "eventVersion": "1.08",
    "userIdentity": {
        "type": "Root",
        "principalId": "...",
        "arn": "arn:aws:iam::...:root",
        "accountId": "...",
        "accessKeyId": "...",
        "userName": "...",
        "sessionContext": {
            "sessionIssuer": {},
            "webIdFederationData": {},
            "attributes": {
                "creationDate": "2023-11-30T09:02:38Z",
                "mfaAuthenticated": "true"
            }
        }
    },
    "eventTime": "2023-11-30T09:23:56Z",
    "eventSource": "iam.amazonaws.com",
    "eventName": "EnableMFADevice",
    "awsRegion": "us-east-1",
    "sourceIPAddress": "217.110.100.231",
    "userAgent": "AWS Internal",
    "errorCode": "AccessDenied",
    "requestParameters": null,
    "responseElements": null,
    "requestID": "d817aa38-ee6e-4166-81a0-bd73a42f8085",
    "eventID": "9c48f7ee-cf20-4dac-b421-fefcd6919802",
    "readOnly": false,
    "eventType": "AwsApiCall",
    "managementEvent": true,
    "recipientAccountId": "...",
    "eventCategory": "Management",
    "sessionCredentialFromConsole": "true"
}
  • Michael
    5 months ago

    OK that's indeed tricky. I was thinking of an SCP issue (see also this guidance), but they don't apply to the root user in the management account. Do I correctly assume that you don't have the maximum number of MFA devices registered already? Did you try to register a virtual MFA device, just to see if this works?

    It might be that you'll need to create a support request for this issue, looks like it could be something specific to your account.

  • Andre
    5 months ago

    I have a single virtual MFA device on my account that I have been using for years now (TOTP through Google Authenticator). I don't have SCPs enabled. Looks like I have to upgrade our plan to actually be able to ask such a question to AWS support :-/ Thank you!

  • Michael
    5 months ago

    Since this is an account-related topic, you are able to open a case also without upgrading your plan. See here:

    Basic Support offers support for account and billing questions and service quota increases. The other plans offer a number of technical support cases with pay-by-the-month pricing and no long-term contracts.

    I hope this helps resolving the issue!

1

Now it seems that Titan Security Key v2 is available for USB connection...

https://qiita.com/moritalous/items/3d2d5a7bf6805ae32802

(↑This article is written in Japanese.)

I have no idea why it wasn't available before...

mitaroThanken
answered 2 months ago
  • Andre
    2 months ago

    へーすごい…AWS lets us do trial and error it seems …

0

same problem here, I have both titan key versions, my first mfa device is V1 no problems there, i register it normally, but i just get a new v2 as backup key and I have the same error message with my root user, even I tried delete the v1 and try both again, same problem: V1 works fine, v2 always shows an error message

But... I have a IAM user too and through IAM Identity Center I can register my TK V2 to my IAM user no problems there, maybe there is any restriction on root users to use TK V2?

Grubhart
answered 4 months ago
0

Same problem and even tried different browsers(Chrome, Safari and Firefox). From Chrome console errors I see that "PublicKeyCredentialCreationOptions.pubKeyCredParams" is not specifed when WebAuthn is used. From Google Chrome's help page https://chromium.googlesource.com/chromium/src/+/main/content/browser/webauth/pub_key_cred_params.md

This means Google Chrome defaults to ES256 (-7) and RS256 (-257) and AWS backend is not expecting this values, hence spitting http 400 errors.

Roney
answered 4 months ago
0

Same problem here. In my case, I have already MFA configured with VirtualApp Google Authenticator, but when I try to register the Google Titan USB key it fails with the same error.

ClimberBear
answered 4 months ago
0

Same problem here. I can register it on mobile (android) but when I try to use it on any browser on windows, it still fails.

vanbako
answered 3 months ago
0

Same for me. When I register my Google Titan K52T on my android phone via NFC, it works. On AWS it is listed as U2F. When I try on the computer by plugging it in, I receive the error message "Error Registering Key".

Neil
answered 3 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content