CyberArk has released a new integration to generate and display Time-based One-time Passwords (TOTP) for Multi-factor Authentication (MFA). A key intended use case of this integration is to provide management and governance over access to the Amazon Web Services (AWS) root account.
This new integration provides TOTPs within the CyberArk PAM web portal to authenticate use of the AWS root account. This allows organizations to follow AWS IAM best practices by securely storing root user credentials in the CyberArk digital vault, while adding an additional layer of security via TOTP MFA.
Every organization’s AWS accounts come with an AWS root user that has extremely powerful privileges, including full access to all services and resources within the account. To emphasize the point, permissions cannot be reduced for the root user. Additionally, there are several AWS tasks that only the root user can complete.
This makes it essential for organizations to “protect your root user access key like you would your credit card numbers or any other sensitive secret,” per AWS Identity and Access Management (IAM) best practices,
AWS guidance continues:
"We strongly recommend that you do not use the root user for your everyday tasks, even the administrative ones. Instead, use your root user credentials only to create your IAM admin user. Then securely lock away the root user credentials and use them to perform only a few account and service management tasks."
CyberArk and our partners at AWS are committed to the success of our mutual customers. This solution was created through active collaboration with AWS Professional Services teams following a significant volume of customer requests.
Note: while some usage cannot be avoided, CyberArk recommends limiting the use of AWS root account and dedicated personal accounts with admin rights as much as possible.
While the root user is often used as a shared account for break-glass scenarios, organizations would like to establish granular control and audit over usage of the root account at the individual level, which poses a challenge for them. This is where CyberArk comes into play. By enabling access to the AWS root account using CyberArk PAM, security admins can use personal access lists within PAM to clearly designate individual users with access to the root account. Security admins can also apply additional security controls like personal MFA challenges, approval workflows and ticketing integrations, while retaining audit of all AWS root access and which users performed it.
The new integration allows organizations to defend against attacks that target the root account to manipulate privileged access to AWS services and resources. This helps enable the digital business to expand in AWS cloud environments by actively following AWS best practices to limit and secure the most privileged sessions — those involving the AWS root account.
CyberArk continues to develop additional means for protecting access to AWS. For any feedback or questions, please contact your CyberArk account team.
For information on this integration, please visit the CyberArk Marketplace.