Multifactor Authentication (MFA) – Security and Compliance – SOA-C02 Study Guide

Multifactor Authentication (MFA)

Multifactor authentication is a method of authenticating a user that requires more than one way of verifying the identity of that user. For example, a regular authentication method would be to have the user provide a username and a password. With MFA, the user would also be required to provide another item that proved the identity of that user.

The factor in MFA is the other item that is required to authenticate the user. This factor can be something from one of three categories:

Something that the user has: This could be a physical object, such as a bank card, a physical key, or a USB stick that contains a unique token.

Something that the user knows: This can be another password, a PIN, or some other bit of information that only the user should know.

Something that the user is: This can include a biometric-based scan for a fingerprint, voice print, iris (eye), palm, and so on.

For AWS IAM accounts, you can configure MFA for user accounts by going to the user account summary, clicking the Security Credentials tab, and then clicking the Manage link next to Assigned MFA Device. For the exam, you should be aware of the three types of MFA devices: Virtual MFA device, U2F security key, and Other hardware MFA device (see Figure 9.7).

FIGURE 9.7 Types of MFA devices

ExamAlert

Many different MFA devices are supported. For the exam, don’t bother memorizing the list of devices. Focus instead on the three types of MFA devices that are supported.

Best Practices in IAM

AWS has published very specific best practices for securing IAM accounts. This information appears in its User Guide, which is one of the sources for content for exam questions. In other words, you really should be aware of these best practices.

The following list is derived directly from AWS’s “Security Best Practices in IAM”:

Secure your root account access keys: If someone gains access to your root access keys, that person can easily gain control over your AWS account.

Use roles instead of assigning permissions to user accounts: Roles are assumed for a limited period of time and are assumed only as needed. This makes roles more secure than assigning permissions to a user account that is always “on.”

Grant least privilege: It is a lazy habit to provide full access to a service when less access is all that may be needed. For example, you should not apply the AmazonS3FullAccess to an account, group, or role when that entity only needs to view content in S3 buckets. The policy of least privilege would mean that AmazonS3ReadOnlyAccess is a much better solution in this situation.

Use AWS managed policies: AWS managed policies are the policies that AWS has created for you. Sometimes a custom policy is a better solution, but when you create a custom policy, there is a greater chance that you might accidentally end up creating security vulnerabilities by granting more access than you intended.

 Validate custom policies: Policies are written in JSON, so you should use a JSON validator like the one found at https://jsonlint.com after you finish writing your custom policy. AWS also provides a tool called IAM Access Analyzer that automatically appears at the bottom of the JSON tab when you are creating a new policy. This tool provides four features: Security advice, Errors, Warnings, and Suggestions (see Figure 9.8).

FIGURE 9.8 IAM Access Analyzer

Use your managed policies rather than inline policies: When you assign permissions to a user or role, you can either first make a policy (managed policy) and then apply the policy, or you can directly create the policy when you create or modify the account (inline policy). Managed policies are better because you can see them when you go to the Policies section of IAM. Inline policies can be seen only by looking at the specific account that they were created for. Also, you can apply managed policies to multiple accounts.

Review IAM permissions access levels: The responsibilities of users within an organization change, requiring you to review the access levels for permissions. There are five access levels for permissions: List, Read, Permissions Management, Write, and Tagging.

Create a strong password policy: Most organizations have password rules (length of password, how often the password must be changed, and so on). If your organization has a password policy, make sure it applies to your AWS user accounts. If not, determine a policy that best secures the user accounts without creating user headaches (for example, a minimum password length of 40 characters, which is very secure, will likely make life more difficult for your users).

 Enable MFA: See the “Multifactor Authentication (MFA)” section earlier in this chapter.

 Use roles for any application that is running on an EC2 instance: See the “IAM Roles” section earlier in this chapter.

Do not share access keys: Access keys, like passwords, provide access to an AWS account. As a result, they should never be shared.

Rotate credentials regularly: This includes passwords and access keys, as mentioned in the “Access Keys” section earlier in this chapter.

Remove unnecessary credentials: This practice may seem like an obvious thing to do, but there are stories of users who left companies only to return later to find their accounts were never deactivated or deleted. Having policies in place with Human Resources should prevent most of these types of situations, but you can also monitor IAM accounts for inactivity by reviewing a user’s Console Last Sign-in and the Access Key Last Used value for user accounts.

Policy conditions: A policy condition is an option that makes the policy more specific for a given situation. For example, if you include the following condition in a policy rule, the rule would apply only for a user who is working on a system with the IP address 192.168.100.100: “Condition” : { “StringEquals” : { “aws: SourceIP” : “192.168.100.100” }}. The more specific the rule, especially Allow rules, the more secure you can make the policy.

Monitor activity in your AWS account: AWS provides a large number of tools to help you monitor activity. Many of these tools are covered in this book, including CloudFront, CloudTrail, CloudWatch, Config, and S3 access logging.