By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Can the same hardware TOTP device be used for multiple root users?

0

We have an AWS Organizations org and are addressing findings from SecurityHub.

The most common critical finding is that none of the root users for any of the accounts in the org have hardware MFA enabled.

Can the same hardware TOTP device be registered for root users of different accounts? If so we would then register the same 3 hardware TOTP devices for the root user of each account in the org and then our AWS admins would have one of these devices each.

If this isn't possible or considered bad practice, what would be the recommended approach instead? Keeping track of a hardware TOTP device for each account seems unmanageable. Should we set up these devices for the management account only, using virtual MFA devices for the root users of the member accounts and suppressing the finding from SecurityHub for the member accounts?

Topics
Security, Identity, & ComplianceManagement & Governance
Tags
Security, Identity, & ComplianceAWS Identity and Access ManagementAWS Organizations
Language
English
Alec
asked 8 months ago123 views
2 Answers
0

Hello.

MFA devices cannot be shared across accounts or users.

You cannot share the same device and set up MFA.
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_physical.html

MFA devices cannot be shared across accounts or users.

So, how about assigning the device to the root user of the Organizations management AWS account and restricting it with SCP so that the root user cannot operate it in the member AWS account?
https://docs.aws.amazon.com/organizations/latest/userguide/best-practices_member-acct.html#bp_member-acct_use-scp

Alternatively, I think it would be a good idea to set up virtual MFA for the root user of the member AWS account.
https://docs.aws.amazon.com/IAM/latest/UserGuide/enable-virt-mfa-for-root.html

profile picture
EXPERT
Riku_Kobayashi
answered 8 months ago
  • Alec
    8 months ago

    Thank you. I'd somehow missed that snippet when reading that docs page.

    Will setup the SCPs blocking root access for the member accounts and also add virtual MFA to the root users of the member accounts (if I can do both without too much difficulty then seems good to have the MFA there is anyone does later decide we've got a good reason to allow root access for the member accounts).

    For the hardware device to use on the root user on the management account - it seems we could use either Yubikey or a TOTP device. Is one preferred over the other? Would either one satisfy the security hub control that brings this to attention https://docs.aws.amazon.com/config/latest/developerguide/root-account-hardware-mfa-enabled.html? (if only one satisfies the control then would prefer to go with the one that satisfies it, rather than setting up the other and suppressing the findings from this control).

  • Quint Van Deman EXPERT
    7 months ago

    The restriction referred to here is only applicable to the older style hardware OTP devices, it does not apply to app-based TOTP (as asked) or hardware security keys.

0

Yes, you can use the same app-based OTP or hardware backed security key for more than one root user.

In deciding to do so, you're increasing the blast radius of that one particular authenticator, so just think of it as striking a balance between blast radius and sheer number of authenticators. Using the same set of authenticators for everything likely isn't wise, but a different set for every account likely isn't either, find the balance that's right for you. Regardless of where you draw those lines, be sure to use 2+ (as you've mentioned) to eliminate the singular dependency on one authenticator.

AWS
EXPERT
Quint Van Deman
answered 7 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content