Free AI web copilot to create summaries, insights and extended knowledge, download it at here

2451

Abstract

ck changes to critical resources?</p><p id="2dfa">By the way, I’ve seen that last one take down a cloud environment at a large financial institution. It happens.</p><p id="a330">I like the idea of only performing sensitive operations if MFA is present. As noted in some of my attempts to require MFA for sensitive operations is limited on AWS due to the fact that the use of MFA is not passed from the role assumption to subsequent actions.</p><div id="8aec" class="link-block"> <a href="https://readmedium.com/mfaauthenticated-with-aws-assume-role-6cbe7bdee274"> <div> <div> <h2>mfaAuthenticated with AWS Assume Role</h2> <div><h3>Needs a change to enforce MFA on actions taken by IAM roles</h3></div> <div><p>medium.com</p></div> </div> <div> <div style="background-image: url(https://miro.readmedium.com/v2/resize:fit:320/1*4oxP4LXk8l8c3mpRvO7ejg.png)"></div> </div> </div> </a> </div><p id="228b">However, we can require MFA for the role assumption, and only allow running an AWS Batch Job with a specific role, in theory. So I’m going to try this out. I’ve already started working on various aspects of the solution in relation to running <a href="https://2ndsightlab.com/cloud-penetration-testing.html">cloud and application penetration tests</a> for customers.</p><p id="1f57">Follow along if you want to see how the rest of it goes. Additional posts will be added to this one as I proceed. I might get stuck but I think I can make this work.</p><p id="c62d">I eventually got this working here, and the posts preceding it that you can click at the top of each story.</p><div id="d9da" class="link-block"> <a href="https://readmedium.com/init-script-on-an-ec2-instance-to-assume-a-role-with-mfa-and-pass-it-to-a-container-3c6c16025197"> <div> <div> <h2>Configure an EC2 Instance to Assume a Role With MFA on Startup and Pass it to a Container</h2> <div><h3>ACM.345 Modify assume role script to get credentials from secrets manager, pull an image from ECR, use a role that…</h3></div> <div><p>medium.com</p></div> </div> <div> <div style="background-image: url(https://miro.readmedium.com/v2/resize:fit:320/1*jwa6JGp96EThEk9sOtKoaw.png)"></div>

Options

         </div>
        </div>
      </a>
    </div><p id="6c05">I also have all the stories listed in this sub series on deploying a static website in an S3 bucket.</p><div id="aca5" class="link-block">
      <a href="https://readmedium.com/components-for-a-static-web-site-on-aws-8ed895a8cf0f">
        <div>
          <div>
            <h2>Components of a Static Web Site on AWS</h2>
            <div><h3>ACM.227 Route 53, TLS, S3, API Gateway, CloudFront, WAF, and triggering Lambda Functions</h3></div>
            <div><p>medium.com</p></div>
          </div>
          <div>
            <div style="background-image: url(https://miro.readmedium.com/v2/resize:fit:320/1*VRsacGrH9UkJT8HHnDSKZQ.png)"></div>
          </div>
        </div>
      </a>
    </div><p id="f254">Follow for updates.</p><p id="4a3a">Teri Radichel | <i>© <a href="https://2ndsightlab.com/?source=post_page---------------------------">2nd Sight Lab</a> 2022</i></p><div id="8b5f"><pre><span class="hljs-section">About Teri Radichel:

⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight Lab</pre></div><div id="caae"><pre><span class="hljs-section">Need Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~</span>
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for Presentation</pre></div><div id="5a42"><pre>Follow <span class="hljs-keyword">for</span> more stories like <span class="hljs-keyword">this</span>:

❤️ Sign Up my Medium Email List ❤️ Twitter: <span class="hljs-meta">@teriradichel</span> ❤️ LinkedIn: https:<span class="hljs-comment">//www.linkedin.com/in/teriradichel</span> ❤️ Mastodon: <span class="hljs-meta">@teriradichel</span><span class="hljs-meta">@infosec</span>.exchange ❤️ Facebook: 2nd Sight Lab ❤️ YouTube: @2ndsightlab</pre></div><figure id="faf5"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/0*H9Ew1KCl-29nZiPR.jpeg"><figcaption></figcaption></figure></article></body>

Creating an AWS Batch Job That Requires MFA

ACM.5 Series on my attempt to create an AWS Batch job that requires MFA

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

⚙️ Check out my series on Automating Cybersecurity Metrics. The Code.

🔒 Related Stories: Batch Job Security | MFA |Passwords

💻 Free Content on Jobs in Cybersecurity | ✉️ Sign up for the Email List

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

In the last post I explained how batch jobs can help cybersecurity.

How Batch Jobs Can Help Cybersecurity

ACM.4 Batch jobs for penetration testing, security metrics, incident response, and more

medium.com

But what if your batch job goes rogue and does something it is not supposed to do? What if it is infected by malware? What if you are performing an assessment for a company and you want to ensure that only you can use the credentials the client assigned to you? What if you are running a cloud security product in your environment and you want to approve actions it takes, before it takes them, such as rolling back changes to critical resources?

By the way, I’ve seen that last one take down a cloud environment at a large financial institution. It happens.

I like the idea of only performing sensitive operations if MFA is present. As noted in some of my attempts to require MFA for sensitive operations is limited on AWS due to the fact that the use of MFA is not passed from the role assumption to subsequent actions.

mfaAuthenticated with AWS Assume Role

Needs a change to enforce MFA on actions taken by IAM roles

medium.com

However, we can require MFA for the role assumption, and only allow running an AWS Batch Job with a specific role, in theory. So I’m going to try this out. I’ve already started working on various aspects of the solution in relation to running cloud and application penetration tests for customers.

Follow along if you want to see how the rest of it goes. Additional posts will be added to this one as I proceed. I might get stuck but I think I can make this work.

I eventually got this working here, and the posts preceding it that you can click at the top of each story.

Configure an EC2 Instance to Assume a Role With MFA on Startup and Pass it to a Container

ACM.345 Modify assume role script to get credentials from secrets manager, pull an image from ECR, use a role that…

medium.com

I also have all the stories listed in this sub series on deploying a static website in an S3 bucket.

Components of a Static Web Site on AWS

ACM.227 Route 53, TLS, S3, API Gateway, CloudFront, WAF, and triggering Lambda Functions

medium.com

Follow for updates.

About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight Lab

Need Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for Presentation

Follow for more stories like this:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
❤️ Sign Up my Medium Email List
❤️ Twitter: @teriradichel
❤️ LinkedIn: https://www.linkedin.com/in/teriradichel
❤️ Mastodon: @teriradichel@infosec.exchange
❤️ Facebook: 2nd Sight Lab
❤️ YouTube: @2ndsightlab