IAM security status and awsmobile-cli

[jonsmirl]

I was working through the react demo and hit this problem...

If you do the five security tasks outlined in the IAM dashboard, then the react demo probably isn't going to work. And since AWS keeps prompting you to do these security tasks I would suspect a lot of people have done them.

awsmobile won't work because the user account CLI access privs probably don't match the root privs you can access via the AWS webUI. You will get an error telling to activate the service role and it will popup a webpage. You'll look and see that service role is there (because it was made in the UI with root priv). You will then observe that the CLI still doesn't work (since it is on a different user). Most beginners will give up at this point because it is pretty hard to diagnose what is going on. Another way it fails is the cli reports that it can't find a project for the UUID, but then if you look using the WebUI it is there.

So how to fix this? awsmobile probably has to get smarter about detecting when the cli privs don't equal the root privs. It should probably make the backend via cloudformation instead of running scripts inside of the UI. If you made it via cloudformation you'd get real errors from the missing privs.

[elorzafe]

Hi @jonsmirl.

Did you have issues while using awsmobile-cli?

We are investigating this issue and trying to replicate this problem.

Thanks!

[jonsmirl]

After a while AWS will start nagging you to do the five security steps on the AWS IAM dashboard. And I agree those are good steps to do. One of those steps is to delete your root credentials and make a user account with fewer privileges.

When you delete your root credentials they will stop working in aws-cli and awsmobile. Then you can add in the new credentials you just made with less privs.

Now try to use awsmobile again. It will likely fail because the new credentials as missing some necessary privilege. But... the error messages don't tell you what privileges to add to this user account in order to make it work with awsmobile.

To make it more confusing those error message contain links that jump you into the AWS webui. So you will look at things from the webui and everything will seem ok. That's because the web UI is the root user. But then when you go back to the cli things won't work, that's because the cli is running on the new user that IAM Dashboard told you to create when you deleted your root credentials. awsmobile should detect this situation and guide beginners though the process of adding privileges to the cli user until awsmobile can function.

Why does IAM nag you to delete the root credentials? Because there are botnets scanning github for people that accidentally check in root credentials that don't have MFA enabled. When the bots find credentials like that they will spin up EC2 and start bitcoin mining. And when you wake up, you'll find a bill from AWS for $250,000.

[UnleashedMind]

Thanks @jonsmirl, we are aware of the issues to expose root credentials. Using root credentials with the CLI is not suggested. For now, in order to use the CLI, the user only needs to have four sets of permissions:

AWSMobileHub_FullAccess AWSDeviceFarmFullAccess AWSLambdaFullAccess IAMReadOnlyAccess

And then enable mobile hub service role on it.

The CLI now has a new user setup workflow, it usually is able to detect that a user is setting up the aws access for the first time, and then walk the new user through the steps.

[UnleashedMind]

I'm closing this issue for now, feel free to reopen it or open another issue when you see problem.