Secure aws access with assume role and mfa

In order to let someone access your AWS account, either developer from outside company, or developer from different team. The most straighforward method is creating an IAM user, then add them to a group with IAM policy or attach policy directly to user or inline policy.

This quickly create a mess because you

The most imporant issue is security: That IAM user can create key under their account, that key can be set to be use with AWS CLI without MFA enforcement. So despite when logging on aws console, user has to type MFA, they don’t have to do that when using aws cli with access/secret key under that user.

Another issue is having multiple IAM account. Imagine if you have to switch between QA/Prod/Staging with multiple IAM.

Assume role solve this problem. Instead of binding permission to user/group, you create an IAM role. You granted permission so that an IAM user can assume and switch to that role. Once they switch, they inherited all permission the role has. We cannot create an key for a role.

On CLI, you use your access/secret key

Subscribe to BetterDev for programming tips and articles.

Join 3000+ other subscribers today