MFA gets in the way of automation, and large scale adhoc actions.
Say I want to load a huge amount of data, or do a ton of s3 uploads. My role assumption via MFA / TOTP lasts 4 hours.
Now say you are doing lots of different "big data" flows, how do you assume privileges when you need them?
I understand what MFA / TOTP brings to security, but security people pretend like my job is about logging into a box once-in-a-while for a couple minutes, and that is the ONLY USE CASE.
Least privilege is another thing that sounds great to a security guy but is a nightmare for development. So whenever you do anything off the beaten path (diagnose new systems deployed, try new database backends, do some data moves or loads, backup/restore), uhoh, you spend a ton of time diagnosing shortfalls and decoding error messages. The security guy DOES NOT CARE.
S3 is a perfect example. S3 should be simple. It is a nightmare of permissions on the user side, permissions on the bucket, and even worse across accounts. Tiresome. Magic numbers/dates for the "version" field policy, what is with THAT? ACLs/Policies stomping over each other.
The funny thing is, ask a security person to first enable cloudwatch and dig through the data to find issues and vulnerabilities, or ask security people to actually produce well-tuned IAM roles for what you need. Guess what? They don't want to do it. They want to sit around making checklists and sending memos.
Say I want to load a huge amount of data, or do a ton of s3 uploads. My role assumption via MFA / TOTP lasts 4 hours.
Now say you are doing lots of different "big data" flows, how do you assume privileges when you need them?
I understand what MFA / TOTP brings to security, but security people pretend like my job is about logging into a box once-in-a-while for a couple minutes, and that is the ONLY USE CASE.
Least privilege is another thing that sounds great to a security guy but is a nightmare for development. So whenever you do anything off the beaten path (diagnose new systems deployed, try new database backends, do some data moves or loads, backup/restore), uhoh, you spend a ton of time diagnosing shortfalls and decoding error messages. The security guy DOES NOT CARE.
S3 is a perfect example. S3 should be simple. It is a nightmare of permissions on the user side, permissions on the bucket, and even worse across accounts. Tiresome. Magic numbers/dates for the "version" field policy, what is with THAT? ACLs/Policies stomping over each other.
The funny thing is, ask a security person to first enable cloudwatch and dig through the data to find issues and vulnerabilities, or ask security people to actually produce well-tuned IAM roles for what you need. Guess what? They don't want to do it. They want to sit around making checklists and sending memos.