Using KeePass for AWS Root Account Credentials

This guide provides details on using KeePass password management software to manage AWS root account credentials.

Please start by reading Separation of duties & storage of AWS root account credentials for background on the structure.

Installing KeePass with MFA TOTP support

KeePass is free, open source, software that stores passwords in an AES encrypted database. KeePass can manage basic passwords, but can also be configured with a plugin on Windows to support the generation of Multi-Factor Authentication Timed One Time Password codes.

Note: KeePass itself is cross-platform, but the plugin to generate MFA TOTP passwords can only be used with KeePass for Windows.

  1. Follow the KeePass setup instructions to install KeePass 2 for Windows using the automated installer.

  2. Next, install the KeeOtp plugin by following the installation instructions. The manual steps are: a. Download the latest stable version of the KeeOtp zip file. b. Extract the zip file. c. Copy the KeeOtp.dll and OtpSharp.dll files from the dlls directory into the root directory of your KeePass installation. For example: C:\Program Files (x86)\KeePass Password Safe

  3. Open, or restart KeePass.

Create the Credentials Databases in KeePass

Follow these steps to create a new credentials database using KeePass:

  1. Open KeePass 2.

  2. If prompted for the password of an existing database, click Cancel.

  3. Create a new database with by clicking File, then New…

  4. Specify the appropriate location for the structure above. For example: \AWSRootAccounts\SuperUsers\AWSRootPasswords.kdbx

  5. Click Save.

  6. Enter a new strong Master password for the database and click OK.

  7. Accept the default database settings by clicking OK.

  8. Default groups and entries are created by KeePass, clean them out by using right click then Delete on each.

  9. Deleting groups and items moves the data into the Recycle Bin by default, it’s recommended to delete the Recycle Bin group itself when done to ensure a completely clean database.

  10. To save the database, click File then Save.

Storing the AWS Root Password

When creating a new AWS account, store the root password in KeePass by:

  1. Create your AWS account (called aaa in this example) using a strong password.

  2. Open KeePass 2.

  3. Open the AWSRootPasswords file and enter your database password.

  4. In the folder pane, left click on the AWSRootPasswords folder to select it.

  5. Click Edit then Add Entry…

  6. In the dialog, enter: a. Title: aaa b. User name: c. Password: YourPassword

  7. Click OK to close the password entry dialog.

  8. Click File, then Save to save the database changes.

Logging into AWS as root

Logging into an AWS account as root:

  • Does NOT record who is acting as root. (It just knows they have credentials.)
  • Does give the root actor full AWS permissions.
  • Does record events in CloudTrail.

Best practice is to only use the AWS root account in emergencies when IAM access has been corrupted.

In this design, separation of duties requires two users to work together for access to the AWS root account. A member of the SuperUsers group has access to the password (and ultimately acts as root), and a member of the Approvers group has access to the current MFA TOTP code which is shared with the SuperUser to allow access.

The steps are as follows:

  1. Sue, a member of SuperUsers, decides that access to the AWS root account is necessary.

  2. Sue contacts Alan, a member of Approvers, to explain the situation and justification. (Typically a ticket would be required and appropriate.)

  3. Alan agrees that AWS root access is required.

  4. Sue opens the KeePass database called AWSRootPasswords in KeePass and enters the database password to gain access.

  5. Sue opens the AWS Console sign in page.

  6. Sue enters the AWS account details. For example: a. Email address: b. Password: RootPasswordFromKeePass

  7. Sue is then prompted for an MFA TOTP code.

  8. Alan opens the KeePass database called AWSMFAKeys in KeePass and enters the database password to gain access.

  9. Alan right clicks on the account entry aaa and then clicks Timed One Time Password.

  10. The MFA TOTP is displayed to Alan and refreshes every 30 seconds.

  11. Alan communicates the current code to Sue, via phone, instant messenger or similar.

  12. Sue enters the MFA TOTP into the AWS console and completes her login as root.

Was this article helpful?
0 out of 0 found this helpful