• TREND MICRO
  • ABOUT
Search:
  • Latest Posts
  • Categories
    • Android
    • AWS
    • Azure
    • Cloud
    • Compliance
    • Critical Infrastructure
    • Cybercrime
    • Encryption
    • Financial Services
    • Government
    • Hacks
    • Healthcare
    • Internet of Everything
    • Malware
    • Microsoft
    • Mobile Security
    • Network
    • Privacy
    • Ransomware
    • Security
    • Social Media
    • Small Business
    • Targeted Attacks
    • Trend Spotlight
    • Virtualization
    • Vulnerabilities
    • Web Security
    • Zero Day Initiative
    • Industry News
  • Our Experts
    • Ed Cabrera
    • Rik Ferguson
    • Elisa Lippincott
    • Mark Nunnikhoven
    • Jon Clay
  • Research
Home   »   Cloud   »   Top 10 AWS Security Tips: #2 Password Policies and Multi-Factor Authentication

Top 10 AWS Security Tips: #2 Password Policies and Multi-Factor Authentication

  • Posted on:February 20, 2013
  • Posted in:Cloud
  • Posted by:
    Mark Nunnikhoven (Vice President, Cloud Research)
2

In last week’s post, Protecting your resources with AWS Identity and Access Management, Justin covered the basics of AWS Identity Access Management (IAM). This week, we’re going to take a look at password policies and multi-factor authentication using IAM.

Password Policies

The value of a strong passwords is well known. Most organizations already have a password policy in place. This policy typically defines the complexity (i.e., how many numbers, special characters, length of the password, etc.) and the rotation (i.e., you must change your password every 90 days).

Some policies take the next step and have different requirements for devices or roles–commonly for administrative access. The CSIS: Top 20 controls address password policy enforcement under control #12, the “Controlled Use of Administrative Privileges”. Needless to say, it’s a good idea to make sure that people with administrative access have complex passwords that rotate at least a few times a year.

IAM currently provides a set of course controls to enforce a password policy. You can specify 1 password policy for your AWS account. This policy allows you to define the level of complexity that you require for passwords but does not address rotation.

It’s a great idea to start using a password policy now but you’ll need either a manual procedure to force password rotation for your users or another method of strengthening this control…or both!

Multi-Factor Authentication

AWS’ implementation of Multi-Factor Authentication (MFA) is just the method we need to strengthen password usage.

So what exactly is MFA? It’s the use of more than one authentication factor to verify who a user is. There are three common factors: something you know, something you have, and something you are.

Activating a soft token in IAMOur users already have one factor, their password (something they know). For AWS, the second factor is something they have. This can either be a hardware token (available for purchase from AWS) or a soft token which can be installed on a smartphone or other device.

These tokens show a randomly generated number that must be entered after a user has entered their user name and password while signing into the AWS Management Console. The number changes every few seconds, ensuring that the user must have the device in their possession when they sign in.

A successful authentication is now the result of the correct username and password followed by the proper token generated number for the date & time the user signs in.

When you first setup a user for MFA, what you’re doing is synchronizing the number generator so that AWS knows what number to expect. The setup process itself is very simple and only takes a couple of minutes for either type of token.

Combined Strength

A password policy is simple to setup on your AWS account and configuring an MFA token for your privileged users can be done in a few minutes. With the barrier for entry so low, there’s really no reason not to use a strong password policy and MFA for your privileged AWS accounts.

The next step is to open up the IAM Management Console and add a password policy. Then start configuring MFA tokens for any account that has elevated privileges. These two simple steps will signficantly increase the security around administrative access to the AWS Management Console. What are you waiting for?


Have any tips for managing access in AWS? Please share them in the comments! And if you’re interested in securing your EC2 or VPC instances check out our new Deep Security as a Service for cloud servers, currently in free Beta.

Related posts:

  1. Dropbox experimenting with two-factor authentication
  2. Top 10 AWS Security Tips: #1 Using IAM To Protect Your Resources
  3. Can wearables and revamped two-factor authentication finally replace the password?
  4. Top 10 AWS Security Tips: #5 Create Restrictive Firewall Policies

Security Intelligence Blog

  • Necurs Evolves to Evade Spam Detection via Internet Shortcut File
  • Monero-Mining RETADUP Worm Goes Polymorphic, Gets an AutoHotKey Variant
  • XLoader Android Spyware and Banking Trojan Distributed via DNS Spoofing

Featured Authors

Ed Cabrera (Chief Cybersecurity Officer)
Ed Cabrera (Chief Cybersecurity Officer)
  • The Role That IT Security Teams Need to Play in Connected Hospitals
Elisa Lippincott (TippingPoint Global Product Marketing)
Elisa Lippincott (TippingPoint Global Product Marketing)
  • TippingPoint Threat Intelligence and Zero-Day Coverage – Week of April 16, 2018
Jon Clay (Global Threat Communications)
Jon Clay (Global Threat Communications)
  • This Week in Security News: Warnings and WannaCry
Mark Nunnikhoven (Vice President, Cloud Research)
Mark Nunnikhoven (Vice President, Cloud Research)
  • Drupal Latest Platform To Be Hit With Critical Vulnerability
Rik Ferguson (VP, Security Research)
Rik Ferguson (VP, Security Research)
  • Today’s Predictions for Tomorrow’s Internet
William
William "Bill" Malik (CISA VP Infrastructure Strategies)
  • The Risks of Bio-IoT

Follow Us

Trend Micro in the News

  • Graffiti in the digital world: How hacktivists use defacement
  • The connected workforce: The importance of protecting home and corporate networks
  • NIST Cybersecurity Framework Series Part 5: Recover

Trend Micro Blogs

  • Internet Safety for Kids
  • Countermeasures
  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © 2017 Trend Micro Incorporated. All rights reserved.