In last week’s post, Protecting your resources with AWS Identity and Access Management, Justin covered the basics of AWS Identity Access Management (IAM). This week, we’re going to take a look at password policies and multi-factor authentication using IAM.
The value of a strong passwords is well known. Most organizations already have a password policy in place. This policy typically defines the complexity (i.e., how many numbers, special characters, length of the password, etc.) and the rotation (i.e., you must change your password every 90 days).
Some policies take the next step and have different requirements for devices or roles–commonly for administrative access. The CSIS: Top 20 controls address password policy enforcement under control #12, the “Controlled Use of Administrative Privileges”. Needless to say, it’s a good idea to make sure that people with administrative access have complex passwords that rotate at least a few times a year.
IAM currently provides a set of course controls to enforce a password policy. You can specify 1 password policy for your AWS account. This policy allows you to define the level of complexity that you require for passwords but does not address rotation.
It’s a great idea to start using a password policy now but you’ll need either a manual procedure to force password rotation for your users or another method of strengthening this control…or both!
AWS’ implementation of Multi-Factor Authentication (MFA) is just the method we need to strengthen password usage.
So what exactly is MFA? It’s the use of more than one authentication factor to verify who a user is. There are three common factors: something you know, something you have, and something you are.
Our users already have one factor, their password (something they know). For AWS, the second factor is something they have. This can either be a hardware token (available for purchase from AWS) or a soft token which can be installed on a smartphone or other device.
These tokens show a randomly generated number that must be entered after a user has entered their user name and password while signing into the AWS Management Console. The number changes every few seconds, ensuring that the user must have the device in their possession when they sign in.
A successful authentication is now the result of the correct username and password followed by the proper token generated number for the date & time the user signs in.
When you first setup a user for MFA, what you’re doing is synchronizing the number generator so that AWS knows what number to expect. The setup process itself is very simple and only takes a couple of minutes for either type of token.
A password policy is simple to setup on your AWS account and configuring an MFA token for your privileged users can be done in a few minutes. With the barrier for entry so low, there’s really no reason not to use a strong password policy and MFA for your privileged AWS accounts.
The next step is to open up the IAM Management Console and add a password policy. Then start configuring MFA tokens for any account that has elevated privileges. These two simple steps will signficantly increase the security around administrative access to the AWS Management Console. What are you waiting for?
Have any tips for managing access in AWS? Please share them in the comments! And if you’re interested in securing your EC2 or VPC instances check out our new Deep Security as a Service for cloud servers, currently in free Beta.