堆栈内存溢出
  简体   繁体   English

启用MFA时转移AWS Root帐户访问权限

[英]Transferring AWS Root Account access when MFA is enabled

 原文  2018-09-14 15:50:18       amazon-web-services/ root-access/ mfa

问题描述

I have been managing an AWS account for about a year. 我已经管理了大约一年的AWS账户。 Typical " best practices " security setup: 典型的“ 最佳做法 ”安全设置:

  • 1 Root Account 1个根帐户
  • Multiple non-Root accounts, including the one I use on a daily basis 多个非根帐户,包括我每天使用的一个
  • All accounts using MFA (I personally use the Google Authenticator app) 所有使用MFA的帐户(我个人使用Google Authenticator应用)

I would like to now transfer "ownership" of this entire AWS account (Root account & all) to someone else. 我现在想将整个AWS账户(根账户及所有)的“所有权”转让给其他人。 While I can certainly give them the username + password to login as Root, they will need MFA setup as well. 虽然我可以为他们提供用户名+密码以Root身份登录,但他们也需要MFA设置。

The only way I can think of handling this is to: 我认为处理此问题的唯一方法是:

  1. Disable MFA on the Root account 在根帐户上禁用MFA
  2. Give them the logins for the Root account 为他们提供Root帐户的登录名
  3. Trust that they will re-enable MFA as soon as possible 相信他们会尽快重新启用MFA

Does the AWS web console provide any better solutions? AWS Web控制台是否提供任何更好的解决方案? I'm not even sure if its possible to disable MFA on an account (let alone Root) once its set... 我什至不确定是否有可能在设置了帐户后禁用MFA(更不用说Root)了...

Thanks in advance! 提前致谢!

3 个解决方案

解决方案1
 3 已采纳  2018-09-20 20:05:38

To deactivate the MFA device for your AWS account root user (console) 为您的AWS账户root用户停用MFA设备(控制台)

Use your AWS account root user credentials to sign in to the AWS Management Console. 使用您的AWS账户root用户凭证登录到AWS管理控制台。

Important 重要

To manage MFA devices for the AWS account, you must sign in to AWS with your AWS account root user credentials. 要为AWS账户管理MFA设备,您必须使用您的AWS账户根用户凭证登录到AWS。 You cannot manage MFA devices for the root user with other credentials. 您不能使用其他凭据来为root用户管理MFA设备。

On the navigation bar, choose your account name, and then choose My Security Credentials. 在导航栏上,选择您的帐户名,然后选择“我的安全证书”。 If a prompt appears, choose Continue to Security Credentials. 如果出现提示,请选择“继续使用安全凭证”。

Expand the Multi-Factor Authentication (MFA) section. 展开“多重身份验证(MFA)”部分。

In the row for the MFA device that you want to deactivate, choose Deactivate. 在要停用的MFA设备的行中,选择“停用”。

The MFA device is deactivated for the AWS account 已为AWS账户停用MFA设备

解决方案2
 1  2018-09-25 12:11:15

You asked three questions.Let us look on by one 您问了三个问题,让我们一个看一下

1.Disable MFA on the Root account 1.禁用Root帐户的MFA

To deactivate the MFA device for your AWS account root user (console) follow these steps 要为您的AWS账户root用户(控制台)停用MFA设备,请执行以下步骤

  1. Sigin to your AWS Account with Root Creds 使用Root Creds到您的AWS账户的Sigin
  2. On the right corner of navigation pane you can see the My Security Credentials 在导航窗格的右上角,您可以看到“ My Security Credentials 在此处输入图片说明
  3. Select Multi-Factor Authentication 选择多因素身份验证
  4. Then mark it as Deactivate against your MFA Device 然后将其标记为针对MFA设备停用

2.Give them the logins for the Root account 2.给他们根帐户的登录信息

For this you follow this AWS documentation which clearly shows How do I transfer my account to another person or business? 为此,请遵循此AWS文档,该文档清楚地显示了如何将我的账户转移给其他人或企业? .For this there is no need of Technical support package, your Basic Support package is enough. 为此,不需要技术支持包,您的基本支持包就足够了。

3.Trust that they will re-enable MFA as soon as possible 3.相信他们会尽快重新启用MFA

For this you have to ask them whoever you are transferring the account to enable the MFA. 为此,无论您要转移谁来启用MFA,您都必须询问他们。 You can also teach them the need of MFA and it's security needs. 您也可以教他们MFA的需求及其安全需求。

解决方案3
 0  2018-09-24 14:34:08

As mentioned, it's possible to remove an MFA from an account once it's been added. 如前所述,可以在添加帐户后从帐户中删除MFA。 You also have two options for transferring the root account with MFA enabled: 对于启用 MFA的根帐户您还有两个选择:

  • If the account is worth the investment, buy and use a hardware MFA. 如果该帐户值得投资,请购买并使用硬件MFA。 Then transferring the account involves physically transferring the MFA device. 然后,转移帐户涉及实际转移MFA设备。
  • If you want to keep using a virtual device, remove the MFA from the root account and re-add it. 如果要继续使用虚拟设备,请从根帐户中删除MFA,然后重新添加。 While scanning the QR code with your own Authenticator app, take a screenshot of the QR code and store it securely (ideally, print it on paper and immediately destroy any digital copies), or press "Show secret key for manual configuration" and write down on paper the long seed string. 使用自己的Authenticator应用程序扫描QR码时,请拍摄QR码的屏幕截图并安全存储(理想情况下,将其打印在纸上并立即销毁任何数字副本),或按“显示用于手动配置的秘密密钥”并写下来在纸上,长长的种子串。 The QR code or seed string can be scanned or entered to seed the same OTP number-stream onto the new owner's Authenticator app. 可以扫描或输入QR码或种子字符串,以将相同的OTP号码流播种到新所有者的Authenticator应用程序中。 Obviously, be aware that if stolen the same data can be used to seed the same stream by anyone , including an attacker, so keep it secure. 显然,请注意,如果任何人 (包括攻击者)都可以使用相同的数据窃取相同的数据来播种相同的流,请确保其安全。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 如何使用boto检查AWS中的root帐户是否启用了MFA? - How to check whether MFA is enabled for root account in AWS using boto? 将 aws cli 切换到启用 mfa 的跨帐户 - Switch aws cli to cross account with mfa enabled 如果启用 MFA 的移动设备丢失或损坏,将如何登录 aws 帐户? - How will log in to aws account if MFA enabled mobile get lost or damage? 如何将更多设备添加到 AWS 根账户 MFA - How to add more devices to AWS root account MFA AWS 无服务器 - 转移帐户后访问被拒绝 - AWS Serverless - Access Denied After Transferring Account 当我为AWS账户和Amazon账户开启MFA时不起作用 - MFA not working when I have it turned on for AWS account and Amazon account AWS 根账户无法访问组织账户 - AWS root account cannot access organizational accounts 使用Java访问AWS Root用户帐户 - Access AWS Root User account using java 将启用 MFA 的 AWS Cognito 应用程序推送到苹果 - Push MFA Enabled AWS Cognito App to apple 通过 AWS 控制台访问根帐户时,使用 CloudFront 403 错误上传的文件 - Files uploaded with CloudFront 403 error when access Root account via AWS Console
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM