Talos is an easy-to-use authorization tool that generates secure, temporary AWS credentials for an organization's users and allows for easy cross-account federation.
- Efficient question-based walkthrough structure
- Minimal technical knowledge required
- Provides machine-wide role-based AWS access in as few as two keypresses
Installation & Usage
Please refer to the walkthrough for detailed instructions.
Use NPM to install the package globally.
npm i @compassdigital/talos -g
Then, in your terminal, run:
AWS programmatic access credentials rely on a single factor of authentication only - if co-opted by an attacker, they provide full, unrestricted access to the user's permissions. While AWS provides the option for multi-factor authentication through the console, this does not extend to programmatic access.
Talos works in tandem with a role-based - not policy-based - AWS permissions structure. The process is as follows:
- A user's base programmatic access credentials provide no access - they only allow a user to assume a role
- Roles, in turn, have the desired AWS policies attached to them
- Users may assume roles that have been granted to them in order to gain access to the role policies
- Role assumption is temporary - credentials expire between 1 and 12 hours from the time of issue
Through leveraging the AWS STS API, which allows enforcing MFA for role assumption, Talos generates temporary, secure, and multi-factor authenticated credentials/console sessions for the user.
What does it all mean?
- AWS users are safeguarded from the threat of credential hijacking
- Different roles can be granted to the same user for different tasks, reducing the chance of misfires or a user modifying resources they didn't mean to
- The process of role assumption serves as an additional acknowledgment that the user is prepared to execute the permissions of the role they are assuming, limiting human error
Compass Digital Labs 2021, all rights reserved