I was setting up some AWS IAM users in Terraform recently and ran smack into an issue that reminded me of the power and the peril of AWS. The issue at hand was ensuring that every user signed in with multi factor authentication (MFA). This turned out to be well documented, both via a third party blog post and in AWS’s documentation. Applying the policy was a matter of creating a policy (basically copying and pasting from the AWS documentation), attaching it to the relevant groups, and then testing. If you don’t login with MFA, you have a very limited subset of functionality available (basically, you can turn on MFA).
Think about this. It was trivial to make sure that everyone has to login with MFA by finding the right documentation and applying it. That’s the power of AWS and its very full featured and granular permissions system.
However, the peril of AWS is that I had to find this and make sure to attach it to the correct groups. I had to document how exactly to turn on MFA for our end users. And I’m responsible for maintaining that policy. I was surprised that this wasn’t an AWS managed policy. This seems like a policy that AWS should own. In fact, you could make an argument for MFA being required being a sane default that you should have to explicitly turn off (though I understand why that wouldn’t be the case, both from a ‘first time experience’ view and from a backwards compatibility view).
AWS gives you a powerful set of tools that you can use in myriad ways to achieve your goals. However, the very complexity that comes with such a set of tools means that you need to make sure you know how to use them well.