top | item 45531123

(no title)

terracatta | 4 months ago

Yes because they state under the section "Root Cause Analysis"

> Ruby Central failed to rotate the AWS root account credentials (password and MFA) after the departure of personnel with access to the shared vault.

discuss

sersi|4 months ago

If both password and MFA are stored in the same shared vault then MFA's purpose is compromised. Anyone getting access to that shared vault has the full keys to the kingdom the same as if MFA wasn't enabled.

Also in this day and age, there's no reason to have the root account creds in a shared vault, no-one should ever need to access the root account, everyone should have IAM accounts with only the necessary permissions.

unknown|4 months ago

[deleted]

blibble|4 months ago

> If both password and MFA are stored in the same shared vault then MFA's purpose is compromised. Anyone getting access to that shared vault has the full keys to the kingdom the same as if MFA wasn't enabled.

absolutely

> no-one should ever need to access the root account

someone has to be able to access it (rarely)

if you're a micro-org having three people with the ability to get it doesn't seem that bad

everything else they did is however terrible practice