Score:1

Brute Force AWS IAM MFA

ci flag

Question: Given that a bad actor gains access to a user's aws_access_key_id as well as the aws_secret_access_key stored within ~/.aws/credentials file, will the actor be able to quickly gain access to that user provided that MFA is required? (i.e. does AWS implement some sort of backoff related to failed MFA attempts?)

Assumptions: the actor does not have access to the MFA device but is able to programmatically iterate through all possible MFA code values as well as attempt a login for each possible MFA value.

Matthew Skillman avatar
ci flag
To clarify, I assume that it would be the case that there is a limit on the number of failed attempts but I cannot find any documentation which details this feature.
djdomi avatar
za flag
im unsure but security would be a better way to go to asl this question, it is imho a goos one but maybe not best fitting on serverfault.com
Tim avatar
gp flag
Tim
I think it's fine for SF, I just don't know the answer. Interesting question.
Score:1
ci flag

It is not possible to quickly gain access. From what I can see, you only get 5 guesses [with regard to the MFA code] every 4 minutes. After too many failed attempts, AWS will temporarily lock the IAM user. This means that all further attempts to access that user would be pointless as even a correct MFA code will still not allow you access.

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.