During a recent review of current guidance from Amazon Web Services (AWS) for enforcing multi-factor authentication, Duo’s Production Engineering team noticed some documentation gaps with AWS’s suggested policies. They found that an attacker could potentially circumvent the need for an MFA device if they compromised a user’s access keys. Duo coordinated with AWS’s security team to disclose the gaps found in an AWS tutorial on enabling users to configure their own credentials and MFA settings.
Check out the blog post, written by AWS Security Consultant Scott Piper,
for a more detailed account of the three gaps they found, an overview of mitigation techniques and our conclusions here: https://duo.com/blog/potential-gaps-in-suggested-amazon-web-services-security-policies-for-mfa