James Thew - Fotolia


Managing AWS multi-factor authentication

Creating a strong password policy in AWS is one step to protect data. If managed properly, multi-factor authentication adds another layer of protection.

Headlines about system breaches and compromised data will leave any systems or application manager questioning security controls, especially authentication methods. Even if you've created strong password policies for AWS users, you should have additional protection -- especially for the root account or for highly privileged users. Amazon's multi-factor authentication protects interactive and programmatic access to data and AWS resources.

Multi-factor authentication (MFA) is the practice of requiring two or more types of authentication entities -- typically, something you know and something you have. Amazon Web Services (AWS) uses MFA based on username-password authentication and one-time passwords. And MFA can be valuable for providing additional security, but it also requires additional management. There are a few things to keep in mind when managing AWS multi-factor authentication.

Manage multi-factor authentication on a user-by-user basis. Look at each end user's security privileges and use MFA to mitigate security risks if the user account could be used to compromise the integrity of data, leak confidential data to unauthorized users or incur substantial AWS resource usage charges.

Review compliance requirements. Depending on your industry and the type of data end users can access, admins may need to implement MFA to remain in compliance with regulations.

Determine costs associated with securing mobile devices. Administrators can enable MFA for an AWS account as well as for identity and access management (IAM) users. While MFA is suitable for a root account, consider costs before enabling MFA for IAM user accounts. There are costs associated with using hardware MFA devices, ranging from $12.99 to $19.99 per device, depending on the type of device used. Virtual MFA device apps are freely available for Android, iOS, Windows Phones and BlackBerry. Virtual MFA apps allow users to create multiple virtual MFA devices and associate them with different accounts.

If you are the owner of an account and the MFA device associated with it is stolen or malfunctions, you will have to contact AWS support. They will disable MFA so you can log in using only a username and password. If you are the owner of an AWS account and you have associated other IAM users with that account, you can disable MFA for those users using the administration console

Users who work with multiple accounts require multiple MFA devices. Each MFA device is associated with a single AWS root account or IAM user. If the use of hardware devices is required, users need multiple hardware devices. Virtual MFA devices may be a better option in these cases.

Link MFA with API access to services. You can use AWS multi-factor authentication to add more security control over services and accounts. For example, if you want to limit access to confidential data stored in AWS Simple Storage Service (S3), you could require multi-factor authentication to use the S3 API. It takes two steps to use MFA with API access to services. First, users need an MFA device associated with their user account and the system admin needs to create a policy with a condition verifying the end user has authenticated with an MFA device.

After an admin correctly establishes the user account and policy, end users can make calls to the API using the following procedure: The user issues an API call to either AssumeRole or GetSessionToken. As part of the call, the end user includes a device identifier and a one-time password. Each API returns a temporary security credential that is used with subsequent API calls.

About the author:
Dan Sullivan holds a master of science degree and is an author, systems architect and consultant with more than 20 years of IT experience. He has had engagements in advanced analytics, systems architecture, database design, enterprise security and business intelligence. He has worked in a broad range of industries, including financial services, manufacturing, pharmaceuticals, software development, government, retail and education. Dan has written extensively about topics that range from data warehousing, cloud computing and advanced analytics to security management, collaboration and text mining.

Dig Deeper on AWS security