@compassdigital/talos

Custom authorizer that enables multi-factor authenticated requests to AWS.

Usage no npm install needed!

<script type="module">
  import compassdigitalTalos from 'https://cdn.skypack.dev/@compassdigital/talos';
</script>

README

Talos

Compass Digital Labs

Talos is an easy-to-use authorization tool that generates secure, temporary AWS credentials for an organization's users and allows for easy cross-account federation.

Features

  • Efficient question-based walkthrough structure
  • Minimal technical knowledge required
  • Provides machine-wide role-based AWS access in as few as two keypresses

Installation & Usage

Please refer to the walkthrough for detailed instructions.

Use NPM to install the package globally.

  npm i @compassdigital/talos -g

Then, in your terminal, run:

  talos

Why Talos?

AWS programmatic access credentials rely on a single factor of authentication only - if co-opted by an attacker, they provide full, unrestricted access to the user's permissions. While AWS provides the option for multi-factor authentication through the console, this does not extend to programmatic access.

Talos works in tandem with a role-based - not policy-based - AWS permissions structure. The process is as follows:

  1. A user's base programmatic access credentials provide no access - they only allow a user to assume a role
  2. Roles, in turn, have the desired AWS policies attached to them
  3. Users may assume roles that have been granted to them in order to gain access to the role policies
  4. Role assumption is temporary - credentials expire between 1 and 12 hours from the time of issue

Through leveraging the AWS STS API, which allows enforcing MFA for role assumption, Talos generates temporary, secure, and multi-factor authenticated credentials/console sessions for the user.

What does it all mean?

  1. AWS users are safeguarded from the threat of credential hijacking
  2. Different roles can be granted to the same user for different tasks, reducing the chance of misfires or a user modifying resources they didn't mean to
  3. The process of role assumption serves as an additional acknowledgment that the user is prepared to execute the permissions of the role they are assuming, limiting human error

License

Compass Digital Labs 2021, all rights reserved