Closed sthristov closed 5 years ago
msusta
commented
6 years ago This will not be possible with easy change to the current code since the script is processing the accounts one-by-one and since it takes quite some time to process each account your MFA code would be outdated after first (few?) accounts.
sthristov
commented
6 years ago Hello, Yes, that's why I opened the issue, as I was not able to find an elegant solution. In order to use the script I had to make a change that prompts me for an MFA for each account when the script switches to another account, I just make sure not to use the same MFA code twice. It's not an ideal solution but I still managed to get the job done faster than manual work. Thanks, Stan
vvadymv
commented
6 years ago Hi @sthristov just wondering could you please pull you changes ) I just have been patched enableguardduty.py myself to provide similar functionality.
sthristov
commented
6 years ago Hi @vvadymv, My modifications are not very 'pretty' to be honest and there are some hard coded things there. I'm not a developer so that's why I haven't created a pull request with it.
etendards
commented
5 years ago Any progress on this? I think STS can use the MFA of the original or default account. I know we can setup our Profiles this way for CLI.
ryanholland
commented
5 years ago If the role you are attempting to assume in the member account has MFA required then it would require you to have a token code for each account, also there's the possibility that the token code would expire before all the regions were processed for a given account. I'd suggest using a role that does not require MFA, a least privilege policy is in the readme that only allows the ability to control GuardDuty, rather than trying to add MFA to this script.
Hello,
It would be nice if the script supported MFA tokens as there might be a condition "aws:MultiFactorAuthPresent" on the assumed role.
Thanks, Stan