Multi-factor Authentication in AWS program
As the security of Amazon Web Services (AWS) cloud resources becomes more of a priority, the need for Multi-factor Authentication (MFA) continues to grow. While there are many ways to enable MFA in AWS, effectively using it can be challenging. This blog post will dive into three ways to effectively use MFA inside your AWS environment.
The first method uses AWS Identity and Access Management (IAM) to configure MFA for individual accounts or assign multiple MFA devices to a single account to use as a shared root or IAM user account. The second approach is federating the login so that MFA can be enforced elsewhere, leveraging your organization’s existing identity systems. Lastly, you can enforce MFA in the AWS Command Line Interface (CLI) by requiring users to authenticate with their MFA device and create a temporary AWS CLI session before they can perform API operations.
By understanding and successfully enforcing these MFA mechanisms, organizations can enhance their security posture and meet compliance requirements, particularly those mandated by FedRAMP.
Identity and Access Management (IAM)
AWS IAM users can enhance the security of their accounts by adding hardware or virtual MFA devices that will be used to log in to the AWS console. In addition to IAM users, it is an AWS best practice and FedRAMP requirement to add MFA to the root user account.
AWS supports up to eight MFA devices to the root account and IAM user accounts. This expansion allows organizations to utilize shared accounts securely as if they were individual accounts. Using this method, users can log into a shared account using their individual MFA device that has been assigned to that account providing organizations with sufficient identification, authentication, and nonrepudiation mechanisms for system access.
With AWS CloudTrail, you can analyze console login events to see which user logged in and which MFA device was used during that login. When using a shared account with multiple assigned MFA devices, it is easy to track which individual has logged into the shared account by looking at the MFA device that was used for that login.
Identity Federation
Identity federation in AWS allows organizations to grant permissions to users, web applications, or mobile applications outside of AWS, enabling them to access AWS resources within an AWS account. IAM Identity Center allows you to set up and centrally manage federated access for multiple AWS accounts within your environment. This approach minimizes the need to create additional IAM users by leveraging existing accounts within the corporate directory or identity system, such as Active Directory. By combining MFA with identity federation, organizations can ensure that only authenticated and authorized users access AWS resources, thereby enhancing security and meeting compliance requirements.
To implement identity federation using IAM Identity Center, the first step is to establish a trust relationship between your Identity Provider (IdP) and AWS. AWS supports various IdPs, including Active Directory Federation Services (AD FS), Okta, and Azure AD. This involves configuring the IdP to trust AWS as a service provider and AWS to trust the IdP as an identity provider. Identity standards supported by AWS include SAML 2.0, OIDC, and OAuth 2.0. Organizations need to ensure that IAM roles define the permissions that federated users will have to manage access and authorization.
Once a trust has been established, the next step is to enforce MFA for the IAM roles associated with federated users. This can be done by creating an IAM policy that requires MFA for specific actions and attaching it to the role. MFA with your IdP may involve setting up MFA policies within your IdP, such as requiring users to use a One Time Password (OTP) app or a hardware token.
By leveraging existing identity systems and enforcing MFA, organizations can protect their AWS resources from unauthorized access while simplifying user management.
ASW CLI
AWS CLI can be utilized for automation in your environment using custom scripts to conduct tasks and provision and manage your AWS infrastructure. These scripts will need to access your AWS resources to successfully run API operations and commands.
When accessing resources via AWS CLI it’s important that these resources remain secure and that accounts trying to access these resources are authenticated. An IAM policy must be developed enforcing MFA for users, allowing them to perform application programming interface (API) operations and commands in AWS CLI. Once this policy is attached to an IAM user, they will not be able to access resources unless a temporary session is created using an assigned MFA device to authenticate.
To receive the temporary credentials, users must utilize the AWS Security Token Service (STS) “GetSessionToken” command, along with the MFA device serial number assigned to the user, and an authentication code from that MFA device. These credentials will last for twelve (12) hours by default and provide validation that the user has authenticated using MFA and can now perform API operations and run commands in AWS CLI based on established permissions.
Conclusion
It has become clear that multi-factor authentication is essential for enhancing the security of cloud resources within your environment. Leveraging these MFA practices will help improve organization security and achieve FedRAMP compliance with a variety of controls including IA-2(1), IA-2(2), IA-2(5), IA-2(6), and IA-2(8) which discuss multi-factor authentication for privileged and non-privileged accounts, shared accounts, and implementing replay-resistant mechanisms.
As cloud adoption continues to grow, implementing robust identity and access management practices, including MFA, will remain a critical component of any organization’s security strategy – resulting in the ability for organizations to protect their resources from unauthorized access.
About Fortreum:
We started with a mission to simplify cloud and cybersecurity challenges for our customers. With an extensive track record spanning nearly a quarter of a century across Public and Private Sectors, we possess a keen dedication to solving our customers complex cloud and cybersecurity challenges. Our industry commitment extends to supporting and fostering the development of future cybersecurity experts within our communities. We encourage you to investigate our services further to learn how leverage to cybersecurity as a business enabler.
Should you have questions about your cloud and cybersecurity readiness, please reach out to us at Info@fortreum.com or Contact Us at https://fortreum.com/contact/
References:
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers.html
https://aws.amazon.com/identity/federation/
https://aws.amazon.com/blogs/security/you-can-now-assign-multiple-mfa-devices-in-iam/
https://repost.aws/knowledge-center/authenticate-mfa-cli
Tutorial: AWS Identity and Access Management (IAM) support for multiple MFA devices: https://www.youtube.com/watch?v=Wv_2iG5MXIM