Protecting the root user with a security key, Titan Security Key v2

2

Hi there,

I'd like to protect our organisations root account with a security key and purchased a Google Titan Security Key v2. According to the AWS docs, I am using a supported key, browser and OS.*

However, when I try to actually register the key, I am getting to the step when I have to press the button on the key and then get an unspecific error message from AWS. ("Error registering security key") The browser console shows a few messages that indicate a problem in the AWS setup. There is also a failed request to IAM with "com.amazon.coral.service#AccessDeniedException" in the response.

How can I troubleshoot this?

Kind regards, André

  • The key is listed as a compatible key on the FIDO2 web site.
  • The key must be registered as a MFA with microsoft or other browser company dependant upon your browser. In my case, this means I registered my key as MFA method in Microsoft as my browser during my console session was Microsoft edge. I do not know the inner workings of each case but maybe the public key and nonce are not shared from the titan key unless they come from the browser? Maybe this is not your answer but triggers a solution path for others? Best of Luck!

7개 답변
1

Hi André.

To make sure that we're looking at the right service: Is it correct that you try to register an MFA device for the root user of your organization's management account, i.e. in IAM (not IAM Identity Center)?

You should have a CloudTrail event logged for this action, can you please paste it here (redacting potential sensitive content such as account numbers)? In many cases, these events more information than the error you see in the console. The event should be EnableMFADevice and/or ResyncMFADevice for hardware MFA devices.

profile pictureAWS
Michael
답변함 5달 전
  • Thank you for taking the time to answer! Yes, it is the root user of the management account. I have checked CloudTrail and it shows the "AccessDenied":

    {
        "eventVersion": "1.08",
        "userIdentity": {
            "type": "Root",
            "principalId": "...",
            "arn": "arn:aws:iam::...:root",
            "accountId": "...",
            "accessKeyId": "...",
            "userName": "...",
            "sessionContext": {
                "sessionIssuer": {},
                "webIdFederationData": {},
                "attributes": {
                    "creationDate": "2023-11-30T09:02:38Z",
                    "mfaAuthenticated": "true"
                }
            }
        },
        "eventTime": "2023-11-30T09:23:56Z",
        "eventSource": "iam.amazonaws.com",
        "eventName": "EnableMFADevice",
        "awsRegion": "us-east-1",
        "sourceIPAddress": "217.110.100.231",
        "userAgent": "AWS Internal",
        "errorCode": "AccessDenied",
        "requestParameters": null,
        "responseElements": null,
        "requestID": "d817aa38-ee6e-4166-81a0-bd73a42f8085",
        "eventID": "9c48f7ee-cf20-4dac-b421-fefcd6919802",
        "readOnly": false,
        "eventType": "AwsApiCall",
        "managementEvent": true,
        "recipientAccountId": "...",
        "eventCategory": "Management",
        "sessionCredentialFromConsole": "true"
    }
    
  • OK that's indeed tricky. I was thinking of an SCP issue (see also this guidance), but they don't apply to the root user in the management account. Do I correctly assume that you don't have the maximum number of MFA devices registered already? Did you try to register a virtual MFA device, just to see if this works?

    It might be that you'll need to create a support request for this issue, looks like it could be something specific to your account.

  • I have a single virtual MFA device on my account that I have been using for years now (TOTP through Google Authenticator). I don't have SCPs enabled. Looks like I have to upgrade our plan to actually be able to ask such a question to AWS support :-/ Thank you!

  • Since this is an account-related topic, you are able to open a case also without upgrading your plan. See here:

    Basic Support offers support for account and billing questions and service quota increases. The other plans offer a number of technical support cases with pay-by-the-month pricing and no long-term contracts.

    I hope this helps resolving the issue!

1

Now it seems that Titan Security Key v2 is available for USB connection...

https://qiita.com/moritalous/items/3d2d5a7bf6805ae32802

(↑This article is written in Japanese.)

I have no idea why it wasn't available before...

답변함 2달 전
  • へーすごい…AWS lets us do trial and error it seems …

0

same problem here, I have both titan key versions, my first mfa device is V1 no problems there, i register it normally, but i just get a new v2 as backup key and I have the same error message with my root user, even I tried delete the v1 and try both again, same problem: V1 works fine, v2 always shows an error message

But... I have a IAM user too and through IAM Identity Center I can register my TK V2 to my IAM user no problems there, maybe there is any restriction on root users to use TK V2?

답변함 4달 전
0

Same problem and even tried different browsers(Chrome, Safari and Firefox). From Chrome console errors I see that "PublicKeyCredentialCreationOptions.pubKeyCredParams" is not specifed when WebAuthn is used. From Google Chrome's help page https://chromium.googlesource.com/chromium/src/+/main/content/browser/webauth/pub_key_cred_params.md

This means Google Chrome defaults to ES256 (-7) and RS256 (-257) and AWS backend is not expecting this values, hence spitting http 400 errors.

Roney
답변함 3달 전
0

Same problem here. In my case, I have already MFA configured with VirtualApp Google Authenticator, but when I try to register the Google Titan USB key it fails with the same error.

답변함 3달 전
0

Same problem here. I can register it on mobile (android) but when I try to use it on any browser on windows, it still fails.

vanbako
답변함 3달 전
0

Same for me. When I register my Google Titan K52T on my android phone via NFC, it works. On AWS it is listed as U2F. When I try on the computer by plugging it in, I receive the error message "Error Registering Key".

Neil
답변함 3달 전

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠